网站导航
> 文档中心 > SpringBoot通过AOP实现Xss攻击拦截

SpringBoot通过AOP实现Xss攻击拦截

网友: 文档中心 2022-03-18 20:36:55

1、定义Xss工具类

import java.util.regex.Matcher;import java.util.regex.Pattern;public class XssUtils {    private XssUtils() {    }    private static final Pattern[] PATTERNS = {     // Avoid anything in a  type of expression     Pattern.compile("(.*?)", Pattern.CASE_INSENSITIVE),     // Avoid anything in a src='...' type of expression     Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),     Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),     // Remove any lonesome  tag     Pattern.compile("", Pattern.CASE_INSENSITIVE),     // Avoid anything in a  type of expression     Pattern.compile("(.*?)", Pattern.CASE_INSENSITIVE),     // Remove any lonesome  tag     Pattern.compile("", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),     // Remove any lonesome  tag     Pattern.compile("", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),     // Avoid eval(...) expressions     Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),     // Avoid expression(...) expressions     Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),     // Avoid javascript:... expressions     Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),     // Avoid vbscript:... expressions     Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE),     // Avoid οnlοad= expressions     Pattern.compile("on(load|error|mouseover|submit|reset|focus|click)(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)    };    public static String stripXSS(String value) { return stripXSS(null, value);    }    public static String stripXSS(String key, String value) { if (StringUtils.isEmpty(value)) {     return value; } for (Pattern scriptPattern : PATTERNS) {     Matcher matcher = scriptPattern.matcher(value);     if (matcher.matches()) {  // 直接抛出异常处理 - 推荐  String msg = key == null ? "" : "字段:" + key + ",";  throw new RuntimeException(msg + "存在非法关键字符");     }     // 直接过虑xss关键词     //  value = scriptPattern.matcher(value).replaceAll(""); } return value;    }}

2、定义AOP

在AOP中,设置Controller所在包为切入点,对所有经过的请求进行Xss验证

import com.alibaba.fastjson.JSON;import com.alibaba.fastjson.JSONObject;import com.alibaba.fastjson.TypeReference;import com.lhz.common.utils.XssUtils;import org.aspectj.lang.JoinPoint;import org.aspectj.lang.annotation.Aspect;import org.aspectj.lang.annotation.Before;import org.aspectj.lang.annotation.Pointcut;import org.springframework.stereotype.Component;import java.util.HashMap;@Component@Aspectpublic class XssParamAspect {    // org.project.controller为包名称    @Pointcut("execution(* org.project.controller..*.*(..))")    public void xssPoint() {    }    @Before("xssPoint()")    public void paramValid(JoinPoint point) { Object[] args = point.getArgs(); for (Object o : args) {     if (o instanceof Number) {  continue;     } else if (o instanceof String) {  XssUtils.stripXSS(o.toString());     } else {  String paramStr = JSON.toJSONString(o);  // 使用fastjson将请求的参数转换为map  HashMap<String, Object> map = JSONObject.parseObject(paramStr, new TypeReference<HashMap<String, Object>>() {  });  map.forEach((k, v) -> {      if (v instanceof String) {   XssUtils.stripXSS(k, v.toString());      }  });  System.out.println(map);     } }    }}
网络标签:

相关问题