淘先锋技术网

首页 1 2 3 4 5 6 7

之前的文章,
php代码审计14之XSS

1、漏洞代码

xssServlet.java


package com.example.demo;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebServlet("/xss")
public class xssServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        req.setCharacterEncoding("utf-8");
        resp.setCharacterEncoding("utf-8");
        resp.setContentType("text/html; charset=utf-8");
        String content = req.getParameter("content");
        //content = StringEscapeUtils.escapeHtml(content);
        req.setAttribute("content",content);
        req.getRequestDispatcher("xss.jsp").forward(req,resp);
    }
}

xss.jsp

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>Title</title>
</head>
<body>
${content}
</body>
</html>

测试下,

http://localhost:8080/xss?content=%3Cscript%3Ealert(111)%3C/script%3E

在这里插入图片描述

2、修复XSS

2.1、单个文件修复

xssServlet.java

package com.example.demo;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
//import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.commons.lang.StringEscapeUtils;


@WebServlet("/xss")
public class xssServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        req.setCharacterEncoding("utf-8");
        resp.setCharacterEncoding("utf-8");
        resp.setContentType("text/html; charset=utf-8");
        String content = req.getParameter("content");
        content = StringEscapeUtils.escapeHtml(content);

        req.setAttribute("content",content);
        req.getRequestDispatcher("xss.jsp").forward(req,resp);
    }
}

pom.xml

        <dependency>
            <groupId>commons-lang</groupId>
            <artifactId>commons-lang</artifactId>
            <version>2.5</version>
        </dependency>
访问下,

http://localhost:8080/xss?content=%3Cscript%3Ealert(111)%3C/script%3E

在这里插入图片描述

2.2、通用过滤

上述的方式仅仅对单个文件生效,

实际的项目上肯定不能这么搞,这么搞的后果就是部分文件传参容易遗忘过滤导致漏洞的造成,

正常的思路是直接在过滤器统一处理传参,

新建两个文件,

在这里插入图片描述
XssFilter.java

package com.example.demo;
import com.example.demo.XssHttpServletRequestWrapper;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.IOException;
@WebFilter("/*")
public class XssFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest req =(HttpServletRequest)servletRequest; //转换成 HttpServletRequest
        XssHttpServletRequestWrapper xssHttpServletRequestWrapper = new XssHttpServletRequestWrapper(req);
//        System.out.println(xssHttpServletRequestWrapper);
        filterChain.doFilter(xssHttpServletRequestWrapper,servletResponse);
    }
    @Override
    public void destroy() {
        Filter.super.destroy();
    }
}

XssHttpServletRequestWrapper.java

package com.example.demo;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang.StringUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private HttpServletRequest request;
    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        this.request=request;
    }
    @Override
    public String getParameter(String name) {
        String oldname= super.getParameter(name);
        if(!StringUtils.isEmpty(oldname)){
            oldname = StringEscapeUtils.escapeHtml(oldname);
        }
        return oldname;
    }
}

3、一些补充

安全评审的话,在数据库查询的语句,尽量不要使“ * ”,采用最小化原则。

	数据库查出来的类型,要和类使用的类型一致。


一般没有过滤,我们打的XSS的payload还没有弹框,一般有两个原因:

	没有进行语句闭合

	一些标签自带转义效果,比如:textarea标签


如何判断一个项目是否存在全局XSS过滤,		

	直接全局搜索“XSS过滤” 、“XSSFilter”
	
	假设没有找到类似的代码,大概率是存在xss的