Shulou(Shulou.com)06/02 Report--

This article shows you what the design of the gateway anti-XSS filter is, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

1. How to prevent XSS attacks?

The defense of XSS is basically nothing more than strengthening the validation of user input and translating the content during output. XSS problems require a combination of multiple scenarios:

The front end verifies the validity of the form data (this is the first layer of protection, although "against the gentleman but not against the villain", it must be)

The backend does data filtering and replacement (there will always be some people who will enter some illegal data through the tool to visit your server)

Persistence layer data coding specifications, such as using Mybatis, look at the "$" and "#" in Mybatis, do not misuse to understand these small details

1.1 Spring AOP

Using Spring AOP to crosscut all API entries seems to be easy to implement, but the RESTfulAPI design is not a unified input parameter format. There are input parameters of GET request RequestParam and POST request RequestBody input parameters, so it is difficult to uniformly handle different input parameters, so this is not a good way. For the design of RESTful interface, please see how to design a good RESTfulAPI?

1.2 HttpMessageConverter

The requested JSON data has to be converted through HttpMessageConverter. Usually, we can modify the serialization and deserialization process of jackson by adding MappingJackson2HttpMessageConverter and overriding the readInternal method, add filtering xss code, and register it in MappingJackson2HttpMessageConverter, then we can solve the xss problem of json requests, but this method can only filter the parameters of two kinds of requests: Content-Type is form form (application/x-www-form-urlencoded) and json (application/json). There is no way to handle GET requests, so it is not a good solution. (for more information, please refer to github.com/yangc91-SpringMvc Defense XSS practice.)

Figure-HttpMessageConverter conversion schematic diagram

@ Overrideprotected Object readInternal (Class clazz, HttpInputMessage inputMessage) throws IOException, HttpMessageNotReadableException {return super.readInternal (clazz, inputMessage);} 1.3 decorator mode Decorator combined with ESAPI

Another problem is that calling request.getInputStream () to read the stream can only be read once. Calling the subsequent filter of the responsibility chain will cause the content of request.getInputStream () to be empty. Even if this is the last filter in the Filter responsibility chain, the program will throw an exception when it runs to HttpMessageConverter, so you need to read the stream multiple times through the decorator.

ESAPI is a free, open source Web application security control component that can help developers reduce the risk of applications in Java Web applications. ESAPI is an open source project organized by OWASP. The home page is: http://www.owasp.org/index.php/ESAPI. With ESAPI, you can easily replace and filter out illegal parameters while preventing SQL injection.

two。 How to modify and filter the request parameters

Use filter filtering for all background requests to filter out hidden keywords in request in filter. Since the median value of request cannot be modified directly, decorator mode (Decorator) is used for request.

Decorate the ServerWebExchange in the filter, and the ServerWebExchange is named the service network switch, storing important request-response properties, request instances, response instances, and so on, a bit like the role of Context. The specific filter design is as follows:

Public class ServerWebExchangeModifyFilter implements WebFilter {@ Override public Mono filter (final ServerWebExchange exchange, final WebFilterChain chain) {/ / throw UnsupportedOperationException, security considerations / / request.getHeaders () .add ("x", "1"); ServerWebExchangeDecorator decorator = new XssServerWebExchangeDecorator (exchange); return chain.filter (decorator);}}

The ServerWebExchange decorators are:

Public class XssServerWebExchangeDecorator extends ServerWebExchangeDecorator {private final ServerHttpRequestDecorator requestDecorator; public XssServerWebExchangeDecorator (ServerWebExchange delegate) {super (delegate); this.requestDecorator = new XssServerHttpRequestDecorator (delegate.getRequest ());} @ Override public ServerHttpRequest getRequest () {return this.requestDecorator;}}

The request decorator is as follows:

Public class XssServerHttpRequestDecorator extends ServerHttpRequestDecorator {private final static HtmlFilter HTML_FILTER = new HtmlFilter (); private MultiValueMap queryParams; private HttpHeaders headers; public XssServerHttpRequestDecorator (ServerHttpRequest delegate) {super (delegate); this.queryParams = new HttpHeaders (); this.queryParams.addAll (filterQueryParams (delegate.getQueryParams (); this.headers = new HttpHeaders () This.headers.addAll (filterHttpHeaders (delegate.getHeaders ();} @ Override public MultiValueMap getQueryParams () {return this.queryParams;} @ Override public HttpHeaders getHeaders () {return this.headers;} private MultiValueMap filterQueryParams (MultiValueMap queryParams) {/ /. Custom filtering logic return encodeQueryParams;} private MultiValueMap filterHttpHeaders (HttpHeaders httpHeaders) {/ /... Custom filtering logic return encodeHttpHeaders;}}

The above content is what is the design of the gateway anti-XSS filter, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.