web安全与防御

一、钓鱼网站之XSS攻击原理分析

将表单提交的脚本：<script>for(var i=0;i<3;i++){alert("弹死你"+i);}</script> 中的特殊字符进行转义，禁止脚本执行。

pom.xml引入common-lang包

<dependency>
    <groupId>commons-lang</groupId>
    <artifactId>commons-lang</artifactId>
    <version>2.6</version>
</dependency>

/**  * xss过滤器  * Created by yz on 2018/4/9.  */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private HttpServletRequest request;
    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        this.request = request;
    }

    /**  * 将request中的value值重写一下，将一些脚本参数 非法参数转换成html元素执行  * @param name  * @return  */  @Override
    public String getParameter(String name) {
        String value = this.request.getParameter(name);
        if(!StringUtils.isEmpty(value)){
            System.out.println("转换前 value:"+value);
            value = StringEscapeUtils.escapeHtml(value);
            System.out.println("转换后 value:"+value);
        }
        return value;
    }
}

import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

/**  * Created by yz on 2018/4/9.  */ @Component
public class XssFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        System.out.println("初始化方法...");
    }


    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
        System.out.println("正常拦截请求...");
        HttpServletRequest req = (HttpServletRequest) request;
        XssHttpServletRequestWrapper xssWrapper = new XssHttpServletRequestWrapper(req);
        filterChain.doFilter(xssWrapper,response);
    }

    /**  * 只执行一次  */  @Override
    public void destroy() {
        System.out.println("销毁请求...");
    }
}

/**  * Created by yz on 2018/4/9.  */ @Controller
public class IndexController {

    @RequestMapping("/index")
    public ModelAndView index(HttpServletRequest request){
        String name = request.getParameter("name");
        System.out.println(name);
        ModelAndView modelAndView = new ModelAndView();
        modelAndView.addObject("name",name);
        modelAndView.setViewName("index");
        return modelAndView;
    }
}

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

/**  * Created by yz on 2018/4/9.  */ @SpringBootApplication
public class Application {
    public static void main(String[] args) {
        SpringApplication.run(Application.class);
    }
}

index.jsp

<%@ page contentType="text/html; charset=UTF-8" language="java"%>
<html>
<body>
<h2>Hello World!</h2>
<form name="form" method="post" action="<%=request.getContextPath() %>/index">
    <input type="text" name="name">
    <input type="submit" name="submit" value="提交">
</form>
name:${
    name}  <h3>我是A页面</h3>
<img alt="" src="/log.png">
</body>
</html>

二、web安全之图片防盗链

三、表单操作数据库SQL注入