1、跨站点请求伪造 跨站点脚本编制 通过框架钓鱼漏洞
主要是通过在url或参数中添加脚本如:
1、URL中添加<script>alert(1)</script>
2、参数value=<a href="http://demo.com"></a>。
添加一个过滤器对特殊字符进行拦截
package com.xxx.sys.filter; import java.io.IOException; import java.util.Enumeration; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.log4j.Logger; /** * 非法字符过滤器 * 1.所有非法字符配置在web.xml中,如需添加新字符,请自行配置 * 2.请注意请求与相应时的编码格式设置,否则遇到中文时,会出现乱码(GBK与其子集应该没问题) * @author lee * */ public class CharFilter implements Filter { private Logger log = Logger.getLogger(CharFilter.class); private String encoding; private String[] legalNames; private String[] illegalChars; public void init(FilterConfig filterConfig) throws ServletException { encoding = filterConfig.getInitParameter("encoding"); legalNames = filterConfig.getInitParameter("legalNames").split(","); illegalChars = filterConfig.getInitParameter("illegalChars").split(","); } public void destroy() { encoding = null; legalNames = null; illegalChars = null; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest)request; HttpServletResponse res = (HttpServletResponse) response; //必须手动指定编码格式 req.setCharacterEncoding(encoding); String tempURL = req.getRequestURI(); log.info(tempURL); Enumeration params = req.getParameterNames(); //是否执行过滤 true:执行过滤 false:不执行过滤 boolean executable = true; //非法状态 true:非法 false;不非法 boolean illegalStatus = false; String illegalChar = ""; //对参数名与参数进行判断 w:while(params.hasMoreElements()){ String paramName = (String) params.nextElement(); executable = true; //密码不过滤 if(paramName.toLowerCase().contains("password")){ executable = false; }else{ //检查提交参数的名字,是否合法,即不过滤其提交的值 f:for(int i=0;i<legalNames.length;i++){ if(legalNames[i].equals(paramName)){ executable = false; break f; } } } if(executable){ String[] paramValues = req.getParameterValues(paramName); f1:for(int i=0;i<paramValues.length;i++){ String paramValue = paramValues[i]; f2:for(int j=0;j<illegalChars.length;j++){ illegalChar = illegalChars[j]; if(paramValue.indexOf(illegalChar) != -1){ illegalStatus = true;//非法状态 break f2; } } if(illegalStatus){ break f1; } } } if(illegalStatus){ break w; } } //对URL进行判断 for(int j=0;j<illegalChars.length;j++){ illegalChar = illegalChars[j]; if(tempURL.indexOf(illegalChar) != -1){ illegalStatus = true;//非法状态 break; } } if(illegalStatus){ //必须手动指定编码格式 res.setContentType("text/html;charset="+encoding); res.setCharacterEncoding(encoding); res.getWriter().print("<script>window.alert('当前链接中存在非法字符');window.history.go(-1);</script>"); }else{ filterChain.doFilter(request, response); } } }
web.xml code
<filter> <filter-name>charFilter</filter-name> <filter-class>com.xxx.sys.filter.CharFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>legalNames</param-name> <param-value>content1,ver,historyURL,listURL</param-value> </init-param> <init-param> <param-name>illegalChars</param-name> <param-value>|,$,@,',",\',\",<,>,(,),+,CR,LF,\",",\,http</param-value> </init-param> </filter>
文章如果对你有帮助,请点击