Shulou(Shulou.com)06/02 Report--

How to use filter in springboot and how to write jsoup filter XSS script, I believe many inexperienced people don't know what to do about this. Therefore, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Springboot uses filters, jsoup filters XSS scripts

Background: slightly

Goal: complete script filtering in request requests

Technology: filter,jsoup,requestWapper

1. Analyze the location of parameters that may contain a script

Post/put/delete: among the parameters of the request, either the form submission or the @ requestBody annotation is used, so the parameter is in json format and is in the stream of request.

Get/options, etc.: it may exist in the url parameter, or it may be in the pre-request of the form submission, so it may exist in any imaginable location, including header.

two。 Analyze the implementation process

2.1First of all, the parameters of each filter location should be extracted from the request request.

2.2 then take the parameters out and filter them

2.3 the filtered parameters are repackaged as request and passed on.

2.4 during this period

Utility classes that need to be prepared for jsoup filtering scripts

You need to customize a filter and add matching criteria to the filter, such as those url do not need to be filtered, and those request methods must be filtered

Configure the filter, whether it is turned on, set the position in the entire filter chain, and set the filtered whitelist or blacklist

So it's clear that we filter which classes are needed and which are configured

A filter

A requestWapper

A jsoup utility class

A configuration class for filter

2.5 conduct data testing

3. Code implementation process

3.1.jsoup dependencies:

Org.jsoup jsoup 1.9.2

3.2jsoup utility class: JsoupUtil

Import org.jsoup.Jsoup; import org.jsoup.nodes.Document; import org.jsoup.safety.Whitelist; import java.io.FileNotFoundException; import java.io.IOException; / * * @ Auther: qianshanmuxue* @ Date: 2019-2-27 19 qianshanmuxue* 32 * @ Description: xss Illegal label filtering*/ public class JsoupUtil {private static final Whitelist whitelist = Whitelist.simpleText () / / there are four types of jsoup whitelist, each of which has a different tag type. Specifically, you can ctrl+ left-click simpleText and have a response comment and tag list in the jsoup source code / / add myself whitelist labelprivate static final Document.OutputSettings outputSettings = new Document.OutputSettings (). PrettyPrint (false); static {whitelist.addAttributes (": all", "style") .addTags ("p"). AddTags ("strong") / / add custom tags to the whitelist, and all tags except those on the whitelist will be filtered whitelist.preserveRelativeLinks (true); / / if pairs of tags cannot be found, only a single tag will be filtered instead of all the subsequent text. / / (after a long struggle on this issue, when there is only one tag, all the data behind the tag will be filtered)} public static String clean (String content) {/ / filtering method return Jsoup.clean (content, ", whitelist, outputSettings);} / test mainpublic static void main (String [] args) throws FileNotFoundException, IOException {String text ="

Sss

Alert (0); sss "; System.out.println (clean (text));}}

3.3request wrapper class XssHttpServletRequestWrapper

Import java.io.*;import java.util.*;import javax.servlet.ReadListener;import javax.servlet.ServletInputStream;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;import com.xxx.utils.JsoupUtil;import org.jsoup.nodes.Document;import org.springframework.util.StringUtils / * * @ Auther: qianshanmuxue * @ Date: 16:24 on 2019-2-27 * @ Description:request wapper use to get request parameter and request bdoy data and wapper another request * / public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {/ / because we need to obtain the data in request, we need to inherit the HttpServletRequestWrapper class in the underlying java, override some methods in the parent class, and get the parameter private HttpServletRequest orgRequest = null in the corresponding position Private static final Document.OutputSettings outputSettings = new Document.OutputSettings (). PrettyPrint (false); public XssHttpServletRequestWrapper (HttpServletRequest request) {super (request); orgRequest = request;} @ Override public ServletInputStream getInputStream () throws IOException {/ / get BufferedReader br = new BufferedReader (new InputStreamReader (orgRequest.getInputStream ()); String line = br.readLine (); String result = "" If (line! = null) {result + = clean (line);} return new WrappedServletInputStream (new ByteArrayInputStream (result.getBytes ();} @ Override public String getParameter (String name) {if (("content" .equals (name) | | name.endsWith ("WithHtml") {return super.getParameter (name);} name = clean (name) String value = super.getParameter (name); if (! StringUtils.isEmpty (value)) {value = clean (value);} return value;} @ Override public Map getParameterMap () {Map map = super.getParameterMap (); / / return value Map Map returnMap = new HashMap (); Iterator entries = map.entrySet (). Iterator (); Map.Entry entry String name = "; String value ="; while (entries.hasNext ()) {entry = (Map.Entry) entries.next (); name = (String) entry.getKey (); Object valueObj = entry.getValue (); if (null = = valueObj) {value =" } else if (valueObj instanceof String []) {String [] values = (String []) valueObj; for (int I = 0; I

< values.length; i++) { value = values[i] + ","; } value = value.substring(0, value.length() - 1); } else { value = valueObj.toString(); } returnMap.put(name, clean(value).trim()); } return returnMap; } @Override public String[] getParameterValues(String name) { String[] arr = super.getParameterValues(name); if (arr != null) { for (int i = 0; i < arr.length; i++) { arr[i] = clean(arr[i]); } } return arr; } /** * get org request * * @return */ public HttpServletRequest getOrgRequest() { return orgRequest; } /** * wapper request */ public static HttpServletRequest getOrgRequest(HttpServletRequest req) { if (req instanceof XssHttpServletRequestWrapper) { return ((XssHttpServletRequestWrapper) req).getOrgRequest(); } return req; } public String clean(String content) { String result = JsoupUtil.clean(content); return result; } private class WrappedServletInputStream extends ServletInputStream { public void setStream(InputStream stream) { this.stream = stream; } private InputStream stream; public WrappedServletInputStream(InputStream stream) { this.stream = stream; } @Override public int read() throws IOException { return stream.read(); } @Override public boolean isFinished() { return true; } @Override public boolean isReady() { return true; } @Override public void setReadListener(ReadListener readListener) { } }} 3.4filter-XssFilter import org.apache.commons.lang.BooleanUtils;import org.apache.commons.lang.StringUtils; import java.io.IOException; import java.util.ArrayList;import java.util.List;import java.util.regex.Matcher;import java.util.regex.Pattern; import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse; /** * @Auther: qianshanmuxue * @Date: 2019/2/27 16:25 * @Description: *///@WebFilter//@Component 在这里可以不用这个注解，以为后面我们会在config中去配置这个filter，在这里只需要实现 Filter 接口实现相应的方法就okpublic class XssFilter implements Filter { private static boolean IS_INCLUDE_RICH_TEXT = false;//用于接收配置中的参数，决定这个过滤器是否开启 public List excludes = new ArrayList();//用于接收配置中的参数，决定哪些是不需要过滤的url（在这里，也可以修改handleExcludeURL（）方法中相应的代码，使其变更为只需要过滤的url） @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; if (handleExcludeURL(req, resp)) { chain.doFilter(request, response); return; } XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request); chain.doFilter(xssRequest, response); }/***此方法是决定对当前url是否执行过滤，*在这里没有使用请求方法（post/put）来匹配，因为在本项目中使用url匹配更适合（因为get和其他请求方式也需要进行过滤），如果你有兴趣可以把这个方法更改为匹配请求方法进行过滤**/ private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) { if ((excludes == null || excludes.isEmpty())&&IS_INCLUDE_RICH_TEXT) { return false; } String url = request.getServletPath(); for (String pattern : excludes) { Pattern p = Pattern.compile("^" + pattern); Matcher m = p.matcher(url); if (m.find()) { return true; } } return false; }/** *过滤器初始化，从配置类中获取参数，用于初始化两个参数（是否开启，排除指定的url list） * */ @Override public void init(FilterConfig arg0) throws ServletException { String isIncludeRichText = arg0.getInitParameter("isIncludeRichText"); if (StringUtils.isNotBlank(isIncludeRichText)) { IS_INCLUDE_RICH_TEXT = BooleanUtils.toBoolean(isIncludeRichText); } String temp = arg0.getInitParameter("excludes"); if (temp != null) { String[] url = temp.split(","); for (int i = 0; url != null && i < url.length; i++) { excludes.add(url[i]); } } } @Override public void destroy() { }} 3.5filter的配置类：XssConfig import com.xxx.filter.XssFilter;import com.google.common.collect.Maps;import org.springframework.boot.web.servlet.FilterRegistrationBean;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration; import java.util.Map; /** * @Auther: qianshanmuxue * @Date: 2019/2/27 16:49 * @Description: xss filter config */@Configurationpublic class XssConfig { @Bean public FilterRegistrationBean xssFilterRegistrationBean() { FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean(); filterRegistrationBean.setFilter(new XssFilter()); filterRegistrationBean.setOrder(1);//filter order ,set it first filterRegistrationBean.setEnabled(true); filterRegistrationBean.addUrlPatterns("/*"); //set filter all url mapping Map initParameters = Maps.newHashMap(); initParameters.put("excludes", "/oauth/token");///white list url initParameters.put("isIncludeRichText", "true");//enable or disable filterRegistrationBean.setInitParameters(initParameters); return filterRegistrationBean; }} 调试截图： 请求：

Screenshot of the program:

Running result:

You can see that the script in body has been filtered

Then I won't post the other screenshots, and another idea is to escape the characters in the filter.

Thank you, Boss luckpet, for your hint.

1 BufferedReader needs to be closed after use

2 for some friends with postman and other tools, if you splice json, there will be a new line here result + = clean (line); it needs to be changed to: while ((line = br.readLine ())! = null) {if (line! = null) {result + = line;}}

Using jsoup to prevent XSS attacks

Not long ago, after the national test of the sub-project, I opened a project page and inexplicably popped up xss. After searching the whole situation, I couldn't find alert ("xss"). I asked the project manager that it was done when the national test was used to prevent injection, and when I was adding data, I looked confused.

Checked the information, the previous project did not think of this problem, if you save a script script, check the data, this script will be executed, the consequences of this thing is very serious ah, if it is in the desktop pop-up box, the implementation of a mining script, this thing is amazing, awesome, learn a lot of knowledge.

Org.jsoup jsoup 1.11.3 after reading the above, have you mastered how to use filters in springboot and how to write XSS scripts for jsoup filtering? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.