출처 : http://shonm.tistory.com/m/post/425
웹 페이지 입력 란에
<script> alert('1111'); </script>
이런 식으로 입력을 하면 입력 정보를 불러 올 때 alert 가 뜨게 될 수 있는데...
이게 악성 스크립트를 전송 하여 클릭 시 PC 의 인증 정보를 수집하여
공격하는 Cross Site Scripting 이 가능 하다고 본다고 한다.
그래서 < , > 등을 입력 받지 못하도록 막아야 한다고 대형 사이트의 보안 권고
사항이 나온다.
JSP 개발 상황이라면 class 2개 를 만들고 web.xml 에 간단한 filter 추가로
해결 할 수 있다.
일단 servlet-api.jar 파일을 lib 폴더에 넣는다. (tomcat 등에 있다.)
그 다음 class 2 개를 추가 한다.
추가 해야 할 class 1
package com.incross.util;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class RequestWrapper extends HttpServletRequestWrapper {
public RequestWrapper(HttpServletRequest servletRequest) {
super(servletRequest);
}
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values==null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = stripXSS(values[i]); //cleanXSS(values[i]);
}
return encodedValues;
}
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
if (value == null) {
return null;
}
//return cleanXSS(value);
return stripXSS(value);
}
public String getHeader(String name) {
String value = super.getHeader(name);
if (value == null){
return null;
}
//return cleanXSS(value);
return stripXSS(value);
}
private String cleanXSS(String value) {
//You'll need to remove the spaces from the html entities below
value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
value = value.replaceAll("'", "& #39;");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
// HTML transformation characters
value = org.springframework.web.util.HtmlUtils.htmlEscape(value);
// SQL injection characters
value = StringEscapeUtils.escapeSql(value);
return value;
}
public static String stripXSS(String value) {
if (value != null) {
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
// value = ESAPI.encoder().canonicalize(value);
// Avoid null characters
value = value.replaceAll("", "");
// Avoid anything between script tags
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid anything in a src='...' type of expression
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome </script> tag
scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome <script ...> tag
scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid eval(...) expressions
scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid expression(...) expressions
scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid javascript:... expressions
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid vbscript:... expressions
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid onload= expressions
scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// HTML transformation characters
value = org.springframework.web.util.HtmlUtils.htmlEscape(value);
// SQL injection characters
value = StringEscapeUtils.escapeSql(value);
}
return value;
}
}
>>>>>>>>>> 내가 좀 손본거임...ㅎㅎ cleanXSS=>stripXSS
===============================================================
추가 해야 할 class 2
package com.incross.util;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class CrossScriptingFilter implements Filter {
public FilterConfig filterConfig;
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
public void destroy() {
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
chain.doFilter(new RequestWrapper((HttpServletRequest) request), response);
}
}
================================================================
web.xml 에 추가 해야 할 사항
<filter>
<filter-name>XSS</filter-name>
<filter-class>com.incross.util.CrossScriptingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSS</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
================================================================
출처 : http://www.javablog.fr/java-security-cross-site-scripting-xss-and-sql-injection.html
A simple post concerning the Cross Site Scripting (XSS) and SQL injection which are types of security vulnerability used in Web applications. In SQL-Injection the vulnerability is exploited by injecting SQL Queries as user inputs. In XSS, Javascript code is injected (basically client side scripting) to the remote server (persistente or non-persistent). For more information, Wikipedia is a good source http://en.wikipedia.org/wiki/Cross-site_scripting andhttp://en.wikipedia.org/wiki/SQL_injection.
Cross Site Scripting (XSS)
XSS injects executable code via the GET or POST parameters in HTTP requests. So, here, I would present an example of special characters (<, >, ‘, …) transformation into their HTML code in order to not be executed by the browser.
An example of XSS attack could be filling javascript code in in form’s field:
1 | "/><script>alert(xss attack);</script> |
SQL injection
SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution.
A best-pratice is no use the concatenation of SQL queries and variables like:
1 | "SELECT id, name FROM TABLE_PERSON WHERE id="+myIdVariable;" |
…instead, use the parametrized queries via the PreparedStatement.
An example of SQL injection could be:
1 | .../mycontext/myservice.do?name=12&id=123' AND '1'=='1'-- |
Solution and implementation
First, we create HTTP filter RequestWrappingFilter in order to intercept the HTTP request configured in the web.xml file:
1 | <filter> |
2 | <filter-name>RequestWrappingFilter</filter-name> |
3 | <filter-class>com.huo.filter.RequestWrappingFilter</filter-class> |
4 | </filter> |
5 |
6 | <filter-mapping> |
7 | <filter-name>RequestWrappingFilter</filter-name> |
8 | <url-pattern>/*</url-pattern> |
9 | </filter-mapping> |
… the goal of this filter is to wrapper the request into an own-coded wrapperMyHttpRequestWrapper which transforms:
- the HTTP parameters with special characters (<, >, ‘, …) into HTML codes via theorg.springframework.web.util.HtmlUtils.htmlEscape(…) method.
Note: There is similar classe in Apache Commons :org.apache.commons.lang.StringEscapeUtils.escapeHtml(…) - the SQL injection characters (‘, “, …) via the Apache Commons classeorg.apache.commons.lang.StringEscapeUtils.escapeSql(…)
01 | package com.huo.filter; |
02 |
03 | import java.io.IOException; |
04 |
05 | import javax.servlet.Filter; |
06 | import javax.servlet.FilterChain; |
07 | import javax.servlet.FilterConfig; |
08 | import javax.servlet.ServletException; |
09 | import javax.servlet.ServletRequest; |
10 | import javax.servlet.ServletReponse; |
11 | import javax.servlet.http.HttpServletRequest; |
12 |
13 | public class RequestWrappingFilter implements Filter{ |
14 |
15 | public void doFilter(ServletRequest req, ServletReponse res, FilterChain chain)throws IOException, ServletException{ |
16 | chain.doFilter(new MyHttpRequestWrapper(req), res); |
17 | } |
18 |
19 | public void init(FilterConfig config) throws ServletException{ |
20 | } |
21 |
22 | public void destroy() throws ServletException{ |
23 | } |
24 | } |
01 | package com.huo.filter; |
02 |
03 | import java.util.HashMap; |
04 | import java.util.Map; |
05 |
06 | import javax.servlet.ServletException; |
07 | import javax.servlet.http.HttpServletRequest; |
08 | import javax.servlet.http.HttpServletRequestWrapper; |
09 |
10 | import org.apache.commons.lang.StringEscapeUtils; |
11 |
12 | public class MyHttpRequestWrapper implements HttpServletRequestWrapper{ |
13 | private Map<String, String[]> escapedParametersValuesMap = new HashMap<String, String[]>(); |
14 |
15 | public MyHttpRequestWrapper(HttpServletRequest req){ |
16 | super(req); |
17 | } |
18 |
19 | @Override |
20 | public String getParameter(String name){ |
21 | String[] escapedParameterValues = escapedParametersValuesMap.get(name); |
22 | String escapedParameterValue = null; |
23 | if(escapedParameterValues!=null){ |
24 | escapedParameterValue = escapedParameterValues[0]; |
25 | }else{ |
26 | String parameterValue = super.getParameter(name); |
27 |
28 | // HTML transformation characters |
29 | escapedParameterValue = org.springframework.web.util.HtmlUtils.htmlEscape(parameterValue); |
30 | |
31 | // SQL injection characters |
32 | escapedParameterValue = StringEscapeUtils.escapeSql(escapedParameterValue); |
33 | |
34 | escapedParametersValuesMap.put(name, new String[]{escapedParameterValue}); |
35 | }//end-else |
36 | |
37 | return escapedParameterValue; |
38 | } |
39 |
40 | @Override |
41 | public String[] getParameterValues(String name){ |
42 | String[] escapedParameterValues = escapedParametersValuesMap.get(name); |
43 | if(escapedParameterValues==null){ |
44 | String[] parametersValues = super.getParameterValues(name); |
45 | escapedParameterValue = new String[parametersValues.length]; |
46 |
47 | // |
48 | for(int i=0; i<parametersValues.length; i++){ |
49 | String parameterValue = parametersValues[i]; |
50 | String escapedParameterValue = parameterValue; |
51 | |
52 | // HTML transformation characters |
53 | escapedParameterValue = org.springframework.web.util.HtmlUtils.htmlEscape(parameterValue); |
54 | |
55 | // SQL injection characters |
56 | escapedParameterValue = StringEscapeUtils.escapeSql(escapedParameterValue); |
57 | |
58 | escapedParameterValues[i] = escapedParameterValue; |
59 | }//end-for |
60 | |
61 | escapedParametersValuesMap.put(name, escapedParameterValues); |
62 | }//end-else |
63 | |
64 | return escapedParameterValues; |
65 | } |
66 | } |
