网站建设服务目标,低价自适应网站建设,个人网站审批,汤唯梁朝伟做视频网站目录 一、前言
1.1、XSS攻击流程
1.2、XSS攻击分类
1.3、攻击方式
二、解决方案
2.1、SPRINGBOOT XSS过滤插件#xff08;MICA-XSS#xff09;
2.2、MICA-XSS 配置
三、项目实战
3.1、项目环境
3.2、测试
3.2.1、测试GET请求
3.2.2、测试POST请求
3.2.3、测试POS… 目录 一、前言
1.1、XSS攻击流程
1.2、XSS攻击分类
1.3、攻击方式
二、解决方案
2.1、SPRINGBOOT XSS过滤插件MICA-XSS
2.2、MICA-XSS 配置
三、项目实战
3.1、项目环境
3.2、测试
3.2.1、测试GET请求
3.2.2、测试POST请求
3.2.3、测试POST请求
四、MICA-XSS 原理剖析
4.1、MICA-XSS 源码 一、前言
XSS攻击又称跨站脚本攻击通常指利用网页开发时留下的漏洞通过巧妙的方法注入恶意指令代码到网页使用户加载并执行攻击者恶意制造的网页程序。这些恶意网页程序通常是JavaScript但实际上也可以包括Java、 VBScript、ActiveX、 Flash 或者甚至是普通的HTML。攻击成功后攻击者可能得到包括但不限于更高的权限如执行一些操作、私密网页内容、会话和cookie等各种内容。
1.1、XSS攻击流程 例如在设计某个表单时没做相关防XSS攻击的处理。用户通过该表单提交相关恶意代码浏览器会执行相关的代码从而发起XSS攻击。如下图
1.2、XSS攻击分类
span stylebackground-color:#fafafaspan stylecolor:#000000codeXSS攻击具有三类反射型、存储型和DOM XSS
/code/span/span
1 说明
反射型 XSS通过将XSS攻击代码放在请求URL上将其作为输入提交到服务器端。当服务器端解析提交后XSS代码会随着响应内容一起传回浏览器最后浏览器解析并执行XSS代码。由于整个过程像一个反射因此称为反射型XSS。如发起如下请求https://www.域名.com/index.php?xssscriptalter(xss攻击)/script存储型 XSS与反射型XSS“相似”但不同的是提交的XSS代码会被存储在服务器端当下一次请求该页面时不用提交XSS代码也会触发XSS攻击。例如当进行用户注册时用户提交一条包含XSS代码的注册信息到服务器端当用户查看个人信息时候那些个人信息就会被浏览器当成正常的HTML和JS解析执行从而触发了XSS攻击。DOM XSS与反射型和存储型XSS不同之处在于DOM XSS不需要服务器的参与通过浏览器的DOM解析即可触发XSS攻击避免了服务器端的信息检验和字符过滤。如发起如下请求https://www.域名.com/index.html#alert(xss攻击)
1.3、攻击方式
XSS攻击方式很多这里只介绍一些常用的XSS攻击手段以及其目的为提出Springboot项目防止XSS攻击解决方案做说明。例如 盗用cookie获取敏感信息。 利用植入Flash通过crossdomain权限设置进一步获取更高权限或者利用Java等得到类似的操作。 利用iframe、frame、XMLHttpRequest或上述Flash等方式以被攻击用户的身份执行一些管理动作或执行一些一般的如发微博、加好友、发私信等操作。 利用可被攻击的域受到其他域信任的特点以受信任来源的身份请求一些平时不允许的操作如进行不当的投票活动。 在访问量极大的一些页面上的XSS可以攻击一些小型网站实现DDoS攻击的效果。 许多初级Springboot开发人员经常中此招最近在测试个人项目时也出现了这个问题。那么在Springboot项目中我们该如何防止XSS攻击呢
二、解决方案
通过对XSS攻击的介绍我们知道了XSS常从表单输入、URL请求、以及Cookie等方面进行攻击。因此我们可以从如下几个方面进行防止XSS攻击。
对表单数据进行XSS处理对URL请求数据JSON进行XSS处理对URL和服务器端控制器方法设置数据放行规则
其实这些解决方案都不用我们自己去实现SpringBoot 对应的Maven插件为我们提供了对于的XSS 安全过滤插件mica-core 和 mica-xss
2.1、SPRINGBOOT XSS过滤插件MICA-XSS
span stylebackground-color:#fafafaspan stylecolor:#000000code 添加Maven依赖后便已经完成了XSS过滤配置。
/code/span/span
1
mica-xss组件说明
对表单绑定的字符串类型进行 xss 处理。对 json 字符串数据进行 xss 处理。提供路由和控制器方法级别的放行规则。
span stylebackground-color:#fafafaspan stylecolor:#000000code classlanguage-javaspan stylecolor:#dd4a68span stylecolor:#999999/spandependencyspan stylecolor:#999999/span/spanspan stylecolor:#dd4a68span stylecolor:#999999/spangroupIdspan stylecolor:#999999/span/spannetspan stylecolor:#999999./spandreamluspan stylecolor:#a67f59/spanspan stylecolor:#a67f59//spangroupIdspan stylecolor:#a67f59/spanspan stylecolor:#dd4a68span stylecolor:#999999/spanartifactIdspan stylecolor:#999999/span/spanmicaspan stylecolor:#a67f59-/spanxssspan stylecolor:#a67f59/spanspan stylecolor:#a67f59//spanartifactIdspan stylecolor:#a67f59/spanspan stylecolor:#dd4a68span stylecolor:#999999/spanversionspan stylecolor:#999999/span/spanspan stylecolor:#9868012.0/spanspan stylecolor:#986801.9/spanspan stylecolor:#a67f59-/spanGAspan stylecolor:#a67f59/spanspan stylecolor:#a67f59//spanversionspan stylecolor:#a67f59/spanspan stylecolor:#a67f59/spanspan stylecolor:#a67f59//spandependencyspan stylecolor:#a67f59/span
span stylecolor:#dd4a68span stylecolor:#999999/spandependencyspan stylecolor:#999999/span/spanspan stylecolor:#dd4a68span stylecolor:#999999/spangroupIdspan stylecolor:#999999/span/spannetspan stylecolor:#999999./spandreamluspan stylecolor:#a67f59/spanspan stylecolor:#a67f59//spangroupIdspan stylecolor:#a67f59/spanspan stylecolor:#dd4a68span stylecolor:#999999/spanartifactIdspan stylecolor:#999999/span/spanmicaspan stylecolor:#a67f59-/spancorespan stylecolor:#a67f59/spanspan stylecolor:#a67f59//spanartifactIdspan stylecolor:#a67f59/spanspan stylecolor:#dd4a68span stylecolor:#999999/spanversionspan stylecolor:#999999/span/spanspan stylecolor:#9868012.1/spanspan stylecolor:#986801.0/spanspan stylecolor:#a67f59-/spanGAspan stylecolor:#a67f59/spanspan stylecolor:#a67f59//spanversionspan stylecolor:#a67f59/span
span stylecolor:#a67f59/spanspan stylecolor:#a67f59//spandependencyspan stylecolor:#a67f59/span
/code/span/span
2.2、MICA-XSS 配置 mica:xss:enabled: truepath-exclude-patterns:path-patterns: /** 三、项目实战
3.1、项目环境
开发工具IDEA-2020.02 Springboot 2.4.1测试工具Google浏览器 Postman
3.2、测试
3.2.1、测试GET请求
未设置XSS防护 添加注解XssCleanIgnore跳过XSS过滤
span stylebackground-color:#fafafaspan stylecolor:#000000code classlanguage-javaspan stylecolor:#0077aaimport/span netspan stylecolor:#999999./spandreamluspan stylecolor:#999999./spanmicaspan stylecolor:#999999./spanxssspan stylecolor:#999999./spancorespan stylecolor:#999999./spanXssCleanIgnorespan stylecolor:#999999;/span
span stylecolor:#0077aaimport/span orgspan stylecolor:#999999./spanspringframeworkspan stylecolor:#999999./spanwebspan stylecolor:#999999./spanbindspan stylecolor:#999999./spanannotationspan stylecolor:#999999./spanGetMappingspan stylecolor:#999999;/span
span stylecolor:#0077aaimport/span orgspan stylecolor:#999999./spanspringframeworkspan stylecolor:#999999./spanwebspan stylecolor:#999999./spanbindspan stylecolor:#999999./spanannotationspan stylecolor:#999999./spanRequestMappingspan stylecolor:#999999;/span
span stylecolor:#0077aaimport/span orgspan stylecolor:#999999./spanspringframeworkspan stylecolor:#999999./spanwebspan stylecolor:#999999./spanbindspan stylecolor:#999999./spanannotationspan stylecolor:#999999./spanRestControllerspan stylecolor:#999999;/span
span stylecolor:#708090/*** author dell*//span
span stylecolor:#999999RestController/span
span stylecolor:#999999XssCleanIgnore/span span stylecolor:#708090//设置该注解 用于跳过配置的Xss 防护/span
span stylecolor:#999999RequestMapping/spanspan stylecolor:#999999(/spanspan stylecolor:#50a14f//spanspan stylecolor:#999999)/span
span stylecolor:#0077aapublic/span span stylecolor:#0077aaclass/span IndexController span stylecolor:#999999{/span
span stylecolor:#999999GetMapping/spanspan stylecolor:#999999(/spanspan stylecolor:#50a14f/xss/spanspan stylecolor:#999999)/spanspan stylecolor:#0077aapublic/span String span stylecolor:#dd4a68xssGet/spanspan stylecolor:#999999(/spanString dataspan stylecolor:#999999)/spanspan stylecolor:#999999{/spanSystemspan stylecolor:#999999./spanoutspan stylecolor:#999999./spanspan stylecolor:#dd4a68println/spanspan stylecolor:#999999(/spandataspan stylecolor:#999999)/spanspan stylecolor:#999999;/spanspan stylecolor:#0077aareturn/span dataspan stylecolor:#999999;/spanspan stylecolor:#999999}/span
span stylecolor:#999999}/span
/code/span/span
效果如下 设置XSS防护 去掉注解 XssCleanIgnore返回为空。效果如下 3.2.2、测试POST请求
3.2.2.1、测试POST请求XSS代码放在URL上
未设置XSS防护 添加注解XssCleanIgnore跳过XSS过滤返回data数据。
span stylebackground-color:#fafafaspan stylecolor:#000000code classlanguage-javaspan stylecolor:#0077aaimport/span netspan stylecolor:#999999./spandreamluspan stylecolor:#999999./spanmicaspan stylecolor:#999999./spanxssspan stylecolor:#999999./spancorespan stylecolor:#999999./spanXssCleanIgnorespan stylecolor:#999999;/span
span stylecolor:#0077aaimport/span orgspan stylecolor:#999999./spanspringframeworkspan stylecolor:#999999./spanwebspan stylecolor:#999999./spanbindspan stylecolor:#999999./spanannotationspan stylecolor:#999999./spanPostMappingspan stylecolor:#999999;/span
span stylecolor:#0077aaimport/span orgspan stylecolor:#999999./spanspringframeworkspan stylecolor:#999999./spanwebspan stylecolor:#999999./spanbindspan stylecolor:#999999./spanannotationspan stylecolor:#999999./spanRequestMappingspan stylecolor:#999999;/span
span stylecolor:#0077aaimport/span orgspan stylecolor:#999999./spanspringframeworkspan stylecolor:#999999./spanwebspan stylecolor:#999999./spanbindspan stylecolor:#999999./spanannotationspan stylecolor:#999999./spanRestControllerspan stylecolor:#999999;/span
span stylecolor:#708090/*** author dell*//span
span stylecolor:#999999RestController/span
span stylecolor:#999999XssCleanIgnore/span span stylecolor:#708090//设置该注解 用于跳过配置的Xss 防护/span
span stylecolor:#999999RequestMapping/spanspan stylecolor:#999999(/spanspan stylecolor:#50a14f//spanspan stylecolor:#999999)/span
span stylecolor:#0077aapublic/span span stylecolor:#0077aaclass/span IndexController span stylecolor:#999999{/span
span stylecolor:#999999PostMapping/spanspan stylecolor:#999999(/spanspan stylecolor:#50a14f/xss/spanspan stylecolor:#999999)/spanspan stylecolor:#0077aapublic/span String span stylecolor:#dd4a68xssPost/spanspan stylecolor:#999999(/spanString dataspan stylecolor:#999999)/spanspan stylecolor:#999999{/spanSystemspan stylecolor:#999999./spanoutspan stylecolor:#999999./spanspan stylecolor:#dd4a68println/spanspan stylecolor:#999999(/spandataspan stylecolor:#999999)/spanspan stylecolor:#999999;/spanspan stylecolor:#0077aareturn/span dataspan stylecolor:#999999;/spanspan stylecolor:#999999}/span
span stylecolor:#999999}/span
/code/span/span
效果如下 设置XSS防护 去掉注解XssCleanIgnore设置XSS防护过滤data数据返回为空。 3.2.2.2、测试POST请求XSS代码放在 BODY 中
未设置XSS防护
span stylebackground-color:#fafafaspan stylecolor:#000000code classlanguage-javaspan stylecolor:#0077aaimport/span netspan stylecolor:#999999./spandreamluspan stylecolor:#999999./spanmicaspan stylecolor:#999999./spanxssspan stylecolor:#999999./spancorespan stylecolor:#999999./spanXssCleanIgnorespan stylecolor:#999999;/span
span stylecolor:#0077aaimport/span orgspan stylecolor:#999999./spanspringframeworkspan stylecolor:#999999./spanwebspan stylecolor:#999999./spanbindspan stylecolor:#999999./spanannotationspan stylecolor:#999999./spanPostMappingspan stylecolor:#999999;/span
span stylecolor:#0077aaimport/span orgspan stylecolor:#999999./spanspringframeworkspan stylecolor:#999999./spanwebspan stylecolor:#999999./spanbindspan stylecolor:#999999./spanannotationspan stylecolor:#999999./spanRequestBodyspan stylecolor:#999999;/span
span stylecolor:#0077aaimport/span orgspan stylecolor:#999999./spanspringframeworkspan stylecolor:#999999./spanwebspan stylecolor:#999999./spanbindspan stylecolor:#999999./spanannotationspan stylecolor:#999999./spanRequestMappingspan stylecolor:#999999;/span
span stylecolor:#0077aaimport/span orgspan stylecolor:#999999./spanspringframeworkspan stylecolor:#999999./spanwebspan stylecolor:#999999./spanbindspan stylecolor:#999999./spanannotationspan stylecolor:#999999./spanRestControllerspan stylecolor:#999999;/span
span stylecolor:#0077aaimport/span javaspan stylecolor:#999999./spanutilspan stylecolor:#999999./spanMapspan stylecolor:#999999;/span
span stylecolor:#708090/*** author dell*//span
span stylecolor:#999999RestController/span
span stylecolor:#999999XssCleanIgnore/span
span stylecolor:#999999RequestMapping/spanspan stylecolor:#999999(/spanspan stylecolor:#50a14f//spanspan stylecolor:#999999)/span
span stylecolor:#0077aapublic/span span stylecolor:#0077aaclass/span IndexController span stylecolor:#999999{/span
span stylecolor:#999999PostMapping/spanspan stylecolor:#999999(/spanspan stylecolor:#50a14f/xss/spanspan stylecolor:#999999)/spanspan stylecolor:#0077aapublic/span String span stylecolor:#dd4a68xssPostBody/spanspan stylecolor:#999999(/spanspan stylecolor:#999999RequestBody/span Mapspan stylecolor:#dd4a68span stylecolor:#999999/spanStringspan stylecolor:#999999,/spanStringspan stylecolor:#999999/span/span bodyspan stylecolor:#999999)/spanspan stylecolor:#999999{/spanSystemspan stylecolor:#999999./spanoutspan stylecolor:#999999./spanspan stylecolor:#dd4a68println/spanspan stylecolor:#999999(/spanbodyspan stylecolor:#999999)/spanspan stylecolor:#999999;/spanspan stylecolor:#0077aareturn/span bodyspan stylecolor:#999999./spanspan stylecolor:#dd4a68get/spanspan stylecolor:#999999(/spanspan stylecolor:#50a14fdata/spanspan stylecolor:#999999)/spanspan stylecolor:#999999;/spanspan stylecolor:#999999}/span
span stylecolor:#999999}/span
/code/span/span
效果如下 设置XSS防护 3.2.3、测试POST请求
如果使用request.getParameter(xss)); 等等ServletRequest原生方法,则是MICA拦截不到的,需要补充下面文章的过滤器,亲测有用,原理就是重写了原生的一些方法.添加过滤.
SpringBoot集成Hutool防止XSS攻击实现_wcybaonier的博客-CSDN博客
四、MICA-XSS 原理剖析 说明
如图上图通过增添XssFilter拦截用户提交的URL参数并进行相关的转义和黑名单排除从而完成相关的业务逻辑。mica-xss防护XSS攻击的整个过程中最核心的部分就是通过包装用户的原始请求创建新的 requestwrapper请求包装器 保证请求流在后面的流程可以重复读。
4.1、MICA-XSS 源码
链接https://gitee.com/596392912/mica/tree/master/mica-xss
mica-xss 源码
