web.xml配置
<!-- spring方式的xss过滤器 start --> <filter> <filter-name>XssFilter</filter-name> <filter-class>com.enation.eop.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>XssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- spring方式的xss过滤器 end --> <!-- XssSqlFilter start --> <filter> <filter-name>XssSqlFilter</filter-name> <filter-class>com.enation.eop.SessionFilter</filter-class> </filter> <filter-mapping> <filter-name>XssSqlFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- XssSqlFilter end --> <!-- ServletCGIFilter start --> <filter> <filter-name>ServletCGIFilter</filter-name> <filter-class>com.enation.eop.ServletCGIFilter</filter-class> </filter> <filter-mapping> <filter-name>ServletCGIFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- ServletCGIFilter end -->===========================================
package com.enation.eop; import java.io.IOException; import java.util.Iterator; import java.util.Map; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; public class SessionFilter implements Filter{ private static Logger log = Logger.getLogger(SessionFilter.class); public void destroy() { } public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) servletRequest; HttpServletResponse response = (HttpServletResponse) servletResponse; String requestStr = getRequestString(request); System.out.println("requestStr: ======================== " + requestStr); System.out.println("完整的地址是====" + request.getRequestURL().toString()); System.out.println("提交的方式是========" + request.getMethod()); log.info("requestStr: ======================== " + requestStr); log.info("完整的地址是====" + request.getRequestURL().toString()); log.info("提交的方式是========" + request.getMethod()); if ("bingo".equals(guolv2(requestStr)) || "bingo".equals(guolv2(request.getRequestURL().toString()))) { System.out.println("======访问地址发现非法字符,已拦截======"); log.info("======访问地址发现非法字符,已拦截======其非法地址为:" + guolv2(request.getRequestURL().toString())); response.setStatus(403); //response.sendRedirect(request.getContextPath() + "/login.jsp"); return; } // 主机ip和端口 或 域名和端口 String myhosts = request.getHeader("host"); if (!StringUtils.equals(myhosts, "192.168.0.177:8080")) { System.out.println("======访问host非法,已拦截======其非法host为:" + myhosts); log.info("======访问host非法,已拦截======其非法host为:" + myhosts); response.setStatus(403); //response.sendRedirect(request.getContextPath() + "/login.jsp"); // 或者response.setStatus(403); return; } String currentURL = request.getRequestURI(); // add by wangsk 过滤请求特殊字符,扫描跨站式漏洞 Map parameters = request.getParameterMap(); if (parameters != null && parameters.size() > 0) { for (Iterator iter = parameters.keySet().iterator(); iter.hasNext();) { String key = (String) iter.next(); String[] values = (String[]) parameters.get(key); for (int i = 0; i < values.length; i++) { values[i] = guolv(values[i]); System.out.println(values[i]); } } } filterChain.doFilter(servletRequest, servletResponse); return; } public void init(FilterConfig filterConfig) throws ServletException { } public static String guolv(String a) { a = a.replaceAll("%22", ""); a = a.replaceAll("%27", ""); a = a.replaceAll("%3E", ""); a = a.replaceAll("%3e", ""); a = a.replaceAll("%3C", ""); a = a.replaceAll("%3c", ""); a = a.replaceAll("<", ""); a = a.replaceAll(">", ""); a = a.replaceAll("\"", ""); a = a.replaceAll("'", ""); a = a.replaceAll("\\+", ""); a = a.replaceAll("\\(", ""); a = a.replaceAll("\\)", ""); a = a.replaceAll(" and ", ""); a = a.replaceAll(" or ", ""); a = a.replaceAll(" 1=1 ", ""); return a; } private String getRequestString(HttpServletRequest req) { String requestPath = req.getServletPath().toString(); String queryString = req.getQueryString(); if (queryString != null) return requestPath + "?" + queryString; else return requestPath; } public String guolv2(String a) { if (StringUtils.isNotEmpty(a)) { if (a.contains("%22") || a.contains("%3E") || a.contains("%3e") || a.contains("%3C") || a.contains("%3c") || a.contains("<") || a.contains(">") || a.contains("\"") || a.contains("'") || a.contains("+") ||a.contains(" and ") || a.contains(" or ") || a.contains("1=1") || a.contains("(") || a.contains(")")) { return "bingo"; } } return a; } }===========================================
package com.enation.eop; import java.io.IOException; import java.util.Map; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class ServletCGIFilter implements Filter{ @Override public void init(FilterConfig filterConfig) throws ServletException { // TODO Auto-generated method stub } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest hReqest = (HttpServletRequest) request; String referer=hReqest.getHeader("Referer"); Map map=hReqest.getParameterMap(); HttpServletResponse hResponse = (HttpServletResponse) response; String queryString = hReqest.getQueryString(); if ( queryString != null && (queryString.contains("\\u0023") || this.queryStringHasCommond(queryString)) ){ hResponse.sendRedirect(hReqest.getContextPath() + "/404.jsp"); }else if(map.toString().contains("redirect")){ hResponse.sendRedirect(hReqest.getContextPath() + "/404.jsp"); }else{ chain.doFilter(request, response); } } /** * * 描述:检测查询参数是否包含命令行 * @since * @param queryString * @return */ private boolean queryStringHasCommond(String queryString) { String cmdModel = "^(action|redirect|redirectAction)(\\:|%3a).*$"; boolean matched = queryString.toLowerCase().matches(cmdModel); return matched; } @Override public void destroy() { // TODO Auto-generated method stub } }===========================================
package com.enation.eop; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import com.enation.eop.XssHttpServletRequestWrapper; public class XssFilter implements Filter { public void destroy() { // TODO Auto-generated method stub } /** * 过滤器用来过滤的方法 */ public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException { //包装request XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request); chain.doFilter(xssRequest, response); } public void init(FilterConfig filterConfig) throws ServletException { // TODO Auto-generated method stub } }===========================================
package com.enation.eop; import java.util.Map; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest = null; public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } /** * 覆盖getParameter方法,将参数名和参数值都做xss过滤。 * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取 * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖 */ @Override public String getParameter(String name) { String value = super.getParameter(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } @Override public String[] getParameterValues(String name) { String[] value = super.getParameterValues(name); if(value != null){ for (int i = 0; i < value.length; i++) { value[i] = xssEncode(value[i]); } } return value; } @Override public Map getParameterMap() { // TODO Auto-generated method stub return super.getParameterMap(); } /** * 覆盖getHeader方法,将参数名和参数值都做xss过滤。 * 如果需要获得原始的值,则通过super.getHeaders(name)来获取 * getHeaderNames 也可能需要覆盖 * 这一段代码在一开始没有注释掉导致出现406错误,原因是406错误是HTTP协议状态码的一种, * 表示无法使用请求的内容特性来响应请求的网页。一般是指客户端浏览器不接受所请求页面的 MIME 类型。 * * **/ @Override public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 将容易引起xss漏洞的半角字符直接替换成全角字符 在保证不删除数据的情况下保存 * @param s * @return 过滤后的值 */ private static String xssEncode(String value) { if (value == null || value.isEmpty()) { return value; } value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replaceAll("(?i)<script.*?>.*?<script.*?>", ""); value = value.replaceAll("(?i)<script.*?>.*?</script.*?>", ""); value = value.replaceAll("(?i)<.*?javascript:.*?>.*?</.*?>", ""); value = value.replaceAll("(?i)<.*?\\s+on.*?>.*?</.*?>", ""); return value; } }
