当前位置:网站首页>Web security and defense

Web security and defense

2022-07-02 09:36:00 niceyz

One 、 Phishing website XSS Attack principle analysis

Script to submit the form :<script>for(var i=0;i<3;i++){alert(" I'll kill you "+i);}</script> Escape special characters in , Disable script execution .


pom.xml introduce common-lang package 

<dependency>
    <groupId>commons-lang</groupId>
    <artifactId>commons-lang</artifactId>
    <version>2.6</version>
</dependency>

/**  * xss filter   * Created by yz on 2018/4/9.  */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private HttpServletRequest request;
    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        this.request = request;
    }

    /**  *  take request Medium value Value rewrite , Put some script parameters   Illegal parameter converted to html Element execution   * @param name  * @return  */  @Override
    public String getParameter(String name) {
        String value = this.request.getParameter(name);
        if(!StringUtils.isEmpty(value)){
            System.out.println(" Before conversion  value:"+value);
            value = StringEscapeUtils.escapeHtml(value);
            System.out.println(" After the transformation  value:"+value);
        }
        return value;
    }
}
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

/**  * Created by yz on 2018/4/9.  */ @Component
public class XssFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        System.out.println(" Initialization method ...");
    }


    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
        System.out.println(" Normal interception request ...");
        HttpServletRequest req = (HttpServletRequest) request;
        XssHttpServletRequestWrapper xssWrapper = new XssHttpServletRequestWrapper(req);
        filterChain.doFilter(xssWrapper,response);
    }

    /**  *  Only once   */  @Override
    public void destroy() {
        System.out.println(" Destruction request ...");
    }
}
/**  * Created by yz on 2018/4/9.  */ @Controller
public class IndexController {

    @RequestMapping("/index")
    public ModelAndView index(HttpServletRequest request){
        String name = request.getParameter("name");
        System.out.println(name);
        ModelAndView modelAndView = new ModelAndView();
        modelAndView.addObject("name",name);
        modelAndView.setViewName("index");
        return modelAndView;
    }
}

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

/**  * Created by yz on 2018/4/9.  */ @SpringBootApplication
public class Application {
    public static void main(String[] args) {
        SpringApplication.run(Application.class);
    }
}

index.jsp

<%@ page contentType="text/html; charset=UTF-8" language="java"%>
<html>
<body>
<h2>Hello World!</h2>
<form name="form" method="post" action="<%=request.getContextPath() %>/index">
    <input type="text" name="name">
    <input type="submit" name="submit" value=" Submit ">
</form>
name:${
    name}  <h3> I am a A page </h3>
<img alt="" src="/log.png">
</body>
</html>



Two 、web Security picture anti-theft chain


3、 ... and 、 Form operation database SQL Inject


原网站

版权声明
本文为[niceyz]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/183/202207020624221969.html

边栏推荐

猜你喜欢

随机推荐