码迷,mamicode.com
首页 > Web开发 > 详细

防止web端脚本攻击的过滤器(可过滤大部分脚本攻击)

时间:2017-10-25 16:44:42      阅读:263      评论:0      收藏:0      [点我收藏+]

标签:type   sign   ash   参数   stream   buffere   bool   res   ++   

在后台进行攻击拦截是必要的,下面是我所使用的防止web端脚本攻击的过滤器工具。

1.配置文件:

1 <!-- 请求拦截 -->
2 <mvc:interceptors>
3         <mvc:interceptor>
4             <mvc:mapping path="/**"/>
5             <bean class="com.demo.filter.UserAuthorityInterceptor"></bean>   
6         </mvc:interceptor>
7 </mvc:interceptors>

2.拦截器:

  1 package com.demo.filter;
  2 
  3 import java.io.BufferedReader;
  4 import java.io.InputStream;
  5 import java.io.InputStreamReader;
  6 import java.net.URLDecoder;
  7 import java.util.Enumeration;
  8 import java.util.HashMap;
  9 import java.util.Iterator;
 10 import java.util.LinkedHashMap;
 11 import java.util.List;
 12 import java.util.Map;
 13 
 14 import javax.annotation.Resource;
 15 import javax.servlet.http.HttpServletRequest;
 16 import javax.servlet.http.HttpServletResponse;
 17 import javax.servlet.http.HttpSession;
 18 
 19 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; 25 
 31 public class UserAuthorityInterceptor extends HandlerInterceptorAdapter {
 32         
 33         @Override    
 34         public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception {  
 35             
 36             Map mapReg = new HashMap();
 37             mapReg.put("script", ".*<.*script.*>.*");
 38             mapReg.put("alert", ".*alert\\(.*?\\).*");
 39 //            mapReg.put("href=", ".*<.*href=.*>.*");
 40             mapReg.put("textarea", ".*<.*textarea.*>.*");
 41             mapReg.put("onmouseover", ".*onmouseover.*");
 42             mapReg.put("iframe", ".*<.*iframe.*>.*");
 43             mapReg.put("object data=data:text/html", ".*object data=data:text/html.*");
 44             Map<String, Object> map =getRequestParamMap(request);
 45             Iterator<String> itfilter=  mapReg.keySet().iterator();
 46             for(String key:map.keySet()){
 47                 Object parString=map.get(key);
 48                 if(parString==null){
 49                     return true;
 50                 }
 51                     String b=parString.toString();
 52                     itfilter=  mapReg.keySet().iterator();
 53                    while(itfilter.hasNext()){
 54                        String a=(String)mapReg.get(itfilter.next());
 55                        if(b.matches(a)){
 56                           System.out.println(a.toUpperCase());
 57                           System.out.println(b.toUpperCase());
 58                           response.setContentType("text/html;charset=UTF-8");
 59                           response.getWriter().write("<html><body><script type=\"text/javascript\">alert(‘请勿进行非法操作!非法的参数是:"+a+"‘)</script></body></html>");
 60                            return false;
 61                       } 
 62                    
 63                }
 64            }
 65             return true;
 66         }    
 67         
 68         /**
 69          * 从请求中获取所有参数(当参数名重复时,用后者覆盖前者)
 70          */
 71         public static Map<String, Object> getRequestParamMap(HttpServletRequest request) {
 72             Map<String, Object> paramMap = new LinkedHashMap<String, Object>();
 73             try {
 74                 String method = request.getMethod();
 75                 if (method.equalsIgnoreCase("put") || method.equalsIgnoreCase("delete")) {
 76                     String queryString = URLDecoder.decode(getString(request.getInputStream()),"UTF-8");
 77                     if ("".equals(queryString)) {
 78                         String[] qsArray = queryString.split("&") ;//StringUtil.splitString(queryString, "&");
 79                         if (qsArray.length>0) {
 80                             for (String qs : qsArray) {
 81                                 String[] array = queryString.split("=") ;//StringUtil.splitString(qs, "=");
 82                                 if (array.length>0 && array.length == 2) {
 83                                     String paramName = array[0].trim();
 84                                     String paramValue = array[1].trim();
 85                                     if (checkParamName(paramName)) {
 86                                         if (paramMap.containsKey(paramName)) {
 87                                             paramValue = paramMap.get(paramName) + String.valueOf((char) 29) + paramValue;
 88                                         }
 89                                         paramMap.put(paramName, paramValue);
 90                                     }
 91                                 }
 92                             }
 93                         }
 94                     }
 95                 } else {
 96                     Enumeration<String> paramNames = request.getParameterNames();
 97                     while (paramNames.hasMoreElements()) {
 98                         String paramName = paramNames.nextElement();
 99                         if (checkParamName(paramName)) {
100                             String[] paramValues = request.getParameterValues(paramName);
101                             if (paramValues.length>0) {
102                                 if (paramValues.length == 1) {
103                                     paramMap.put(paramName, paramValues[0]);
104                                 } else {
105                                     StringBuilder paramValue = new StringBuilder("");
106                                     for (int i = 0; i < paramValues.length; i++) {
107                                         paramValue.append(paramValues[i]);
108                                         if (i != paramValues.length - 1) {
109                                             paramValue.append(String.valueOf((char) 29));
110                                         }
111                                     }
112                                     paramMap.put(paramName, paramValue.toString());
113                                 }
114                             }
115                         }
116                     }
117                 }
118             } catch (Exception e) {
119                 throw new RuntimeException(e);
120             }
121             return paramMap;
122         }
123 
124         /**
125          * 从输入流中获取字符串
126          */
127         public static String getString(InputStream is) {
128             StringBuilder sb = new StringBuilder();
129             try {
130                 BufferedReader reader = new BufferedReader(new InputStreamReader(is));
131                 String line;
132                 while ((line = reader.readLine()) != null) {
133                     sb.append(line);
134                 }
135             } catch (Exception e) {
136                 e.printStackTrace();
137                 throw new RuntimeException(e);
138             }
139             return sb.toString();
140         }
141         private static boolean checkParamName(String paramName) {
142             return !paramName.equals("_"); // 忽略 jQuery 缓存参数
143         }
144         public static void main(String[] args) {
145             String a="88888 onmouseover=prompt(42873) bad=";
146             String b=".*onmouseover.*";
147             System.out.println(a.matches(b));
148             
149             
150         }
151 }

 

防止web端脚本攻击的过滤器(可过滤大部分脚本攻击)

标签:type   sign   ash   参数   stream   buffere   bool   res   ++   

原文地址:http://www.cnblogs.com/sungy/p/7729330.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!