Filter defense XSS of Java audit

Java

Filter defense XSS of Java audit

0x00 Preface

This paper considers some small details of audit from the perspectives of attack and defense. In the XSS audit in the previous two articles, one important point is missing, that is, the filter. It is said that the first step of Java audit is to look at the web first XML, you can see which frameworks the CMS uses for development. The second is to see if it has some configured filters.

Audit article:

XSS of Java audit

XSS audit points of Java audit

0x01 filter defense XSS

The content of filters has been mentioned in the java learning series.

Filter and listener in java learning

A concept needs to be clear here. Filters can be used in any framework, and interceptors are unique to spring MVC.

The filter needs to be configured on the web XML, and the interceptor will be configured in springmvc. XML In the XML file.

This leads to why we should look at the web XML file.

Let's look at the picture below

This is an addition, deletion, modification and query page written by myself with SSM. Click Add to directly add an XSS payload in the eamil location.

It's found that the frame has been popped. There is no processing in the code.

In order to prevent XSS, the previous audit article also mentioned the use of a class to process the received parameters from output or output. However, if the developer does not pay attention to a point and forgets to process it, the vulnerability will still exist. Moreover, each output and input must be processed, and the operation is cumbersome. To solve this problem, we can use the filter mentioned here for a global filter.

On the web Configuration in XML

web. XML file:

<filter>
    <filter-name>xssFilter</filter-name>
    <filter-class>com.test.filter.xssFiler</filter-class>
  </filter>
  <!-- 解决xss漏洞 -->
  <filter-mapping>
    <filter-name>xssFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Filter code:

package com.test.filter;


import com.test.utils.XssFilterWrapper;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

/**
 * 作用:Xss过滤器
 * 作者:Tiddler
 * 时间:2018/11/11 10:21
 * 类名: XssFilter
 **/
public class xssFiler implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest servletRequest,ServletResponse servletResponse,FilterChain filterChain) throws IOException,ServletException {
        //使用包装器
        System.out.println("过滤器执行了");
        XssFilterWrapper xssFilterWrapper=new XssFilterWrapper((HttpServletRequest) servletRequest);
        filterChain.doFilter(xssFilterWrapper,servletResponse);
    }

    @Override
    public void destroy() {

    }
}

Xssfilterwrapper Code:

package com.test.utils;


import org.springframework.web.util.HtmlUtils;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

/**
 * 作用:防Xss过滤器[包装器]
 * 作者:Tiddler
 * 时间:2018/11/11 10:20
 * 类名: XssFilterWrapper
 **/
public class XssFilterWrapper extends HttpServletRequestWrapper {
    public XssFilterWrapper(HttpServletRequest request) {
        super(request);
    }
    /**
     * 对数组参数进行特殊字符过滤
     */
    @Override
    public String[] getParameterValues(String name) {
        if("content".equals(name)){//不想过滤的参数,此处content参数是 富文本内容
            return super.getParameterValues(name);
        }
        String[] values = super.getParameterValues(name);
        String[] newValues = new String[values.length];
        for (int i = 0; i < values.length; i++) {
            newValues[i] = HtmlUtils.htmlEscape(values[i]);//spring的HtmlUtils进行转义
        }
        return newValues;
    }

}

After XSS is inserted, it is not executed, but directly output.

In the code, print all the entered values. It is found that the email values have actually been entity coded.

0x02 some thoughts

After understanding that the filter can prevent XSS, if the audit code finds that there is no filter in the call, it may be that the filter filter is used for global filtering. This may lead to a problem, that is, the probability of XSS in Java may be low. If they can be filtered globally directly, why use complex methods to filter one by one? Of course, there will be special cases. For example, if you want to take a value but don't want to be entity encoded, you have to call another method to process the value. Let's take a look at a case of xssfilterwrapper code.

 if("content".equals(name)){//不想过滤的参数,此处content参数是 富文本内容
            return super.getParameterValues(name);
        }

If the content parameter is taken here, and this parameter is unprocessed, there is still the possibility of XSS.

Reference articles

https://blog.csdn.net/qq_31384551/article/details/83956681
https://www.cnblogs.com/hero123/p/9091625.html

0x03 end

At the end, stick a picture!

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>