网络中心提示网站有数目众多的跨站脚本攻击(XSS)漏洞,经过查看代码,认为是JSP中绑定变量是未经处理直接写入的,而且整个项目中这样的做法太多,因为是多年前的,不好一个个更改,参照网上资料,通过加filter对数据参数进行处理。
1、在github上下载lucy-xss-servlet-filter:https://github.com/naver/lucy-xss-servlet-filter
2、打开项目lucy-xss-servlet-filter,将下载代码输出为jar包.
项目输出为jar包参见教程:http://blog.csdn.net/yahohi/article/details/6888559
3、将生成的jar包和lucy-xss-servlet-filter引用的jar包放入漏洞网站的/WEB-INFO/lib目录或tomcat的lib目录。
4、在漏洞网站的web.xml中添加对lucy-xss-servlet-filter的引用。
... <filter> <filter-name>xssEscapeServletFilter</filter-name> <filter-class>com.navercorp.lucy.security.xss.servletfilter.XssEscapeServletFilter</filter-class> </filter> <filter-mapping> <filter-name>xssEscapeServletFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> ...
5、在classess目录下放入lucy-xss-servlet-filter-rule.xml 。
1 <?xml version="1.0" encoding="UTF-8"?> 2 <config xmlns="http://www.navercorp.com/lucy-xss-servlet"> 3 <defenders> 4 <!-- XssPreventer ?? --> 5 <defender> 6 <name>xssPreventerDefender</name> 7 <class>com.navercorp.lucy.security.xss.servletfilter.defender.XssPreventerDefender</class> 8 </defender> 9 10 <!-- XssSaxFilter ?? --> 11 <defender> 12 <name>xssSaxFilterDefender</name> 13 <class>com.navercorp.lucy.security.xss.servletfilter.defender.XssSaxFilterDefender</class> 14 <init-param> 15 <param-value>lucy-xss-sax.xml</param-value> <!-- lucy-xss-filter? sax? ???? --> 16 <param-value>false</param-value> <!-- ???? ???? ??? ??, ?? ??? false ?? --> 17 </init-param> 18 </defender> 19 20 <!-- XssFilter ?? --> 21 <defender> 22 <name>xssFilterDefender</name> 23 <class>com.navercorp.lucy.security.xss.servletfilter.defender.XssFilterDefender</class> 24 <init-param> 25 <param-value>lucy-xss.xml</param-value> <!-- lucy-xss-filter? dom? ???? --> 26 <param-value>false</param-value> <!-- ???? ???? ??? ??, ?? ??? false ?? --> 27 </init-param> 28 </defender> 29 </defenders> 30 31 <!-- default defender ??, ??? defender ??? ??? default defender? ??? ??? ??. --> 32 <default> 33 <defender>xssPreventerDefender</defender> 34 </default> 35 36 <!-- global ??? ? ?? --> 37 <global> 38 <!-- ?? url?? ???? globalParameter ????? ??? ?? ??? 39 ?? globalPrefixParameter? ???? ????? ??? ?? ???. --> 40 <params> 41 <param name="globalParameter" useDefender="false" /> 42 <param name="globalPrefixParameter" usePrefix="true" useDefender="false" /> 43 </params> 44 </global> 45 46 <!-- url ? ??? ? ?? --> 47 <url-rule-set> 48 49 <!-- url disable? true?? ??? url ?? ?? ????? ??? ?? ???. --> 50 <url-rule> 51 <url disable="true">/disableUrl1.do</url> 52 </url-rule> 53 54 <!-- url1 ?? url1Parameter? ??? ?? ??? ?? url1PrefixParameter? ???? ????? ??? ?? ???. --> 55 <url-rule> 56 <url>/url1.do</url> 57 <params> 58 <param name="url1Parameter" useDefender="false" /> 59 <param name="url1PrefixParameter" usePrefix="true" useDefender="false" /> 60 </params> 61 </url-rule> 62 63 <!-- url2 ?? url2Parameter1? ??? ?? ??? url2Parameter2? xssSaxFilterDefender? ??? ??? ??. --> 64 <url-rule> 65 <url>/url2.do</url> 66 <params> 67 <param name="url2Parameter1" useDefender="false" /> 68 <param name="url2Parameter2"> 69 <defender>xssSaxFilterDefender</defender> 70 </param> 71 </params> 72 </url-rule> 73 </url-rule-set> 74 </config>
6、重启tomcat测试网站,在参数中注入脚本不再提示XSS警告,而是直接出错。
问题解决。这样的好处是不用改动原网站。
参考:
