跨站点请求伪造 跨站点脚本编制 通过框架钓鱼漏洞

1、跨站点请求伪造 跨站点脚本编制 通过框架钓鱼漏洞

主要是通过在url或参数中添加脚本如：

1、URL中添加

2、参数value=。

添加一个过滤器对特殊字符进行拦截

 package com.xxx.sys.filter;

 import java.io.IOException;
 import java.util.Enumeration;

 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

 import org.apache.log4j.Logger;

 /**
  * 非法字符过滤器
  * 1.所有非法字符配置在web.xml中，如需添加新字符，请自行配置
  * 2.请注意请求与相应时的编码格式设置，否则遇到中文时，会出现乱码(GBK与其子集应该没问题)
  * @author lee
  *
  */
 public class CharFilter implements Filter {
     private Logger log = Logger.getLogger(CharFilter.class);
     private String encoding;
     private String[] legalNames;
     private String[] illegalChars;

     public void init(FilterConfig filterConfig) throws ServletException {
         encoding = filterConfig.getInitParameter("encoding");
         legalNames = filterConfig.getInitParameter("legalNames").split(",");
         illegalChars = filterConfig.getInitParameter("illegalChars").split(",");
     }

     public void destroy() {
         encoding = null;
         legalNames = null;
         illegalChars = null;
     }


     public void doFilter(ServletRequest request, ServletResponse response,
             FilterChain filterChain) throws IOException, ServletException {

         HttpServletRequest req = (HttpServletRequest)request;
         HttpServletResponse res = (HttpServletResponse) response;

         //必须手动指定编码格式
         req.setCharacterEncoding(encoding);
         String tempURL = req.getRequestURI();
         log.info(tempURL);
         Enumeration params = req.getParameterNames();

         //是否执行过滤  true：执行过滤  false：不执行过滤
         boolean executable = true;

         //非法状态  true：非法  false；不非法
         boolean illegalStatus = false;
         String illegalChar = "";
         //对参数名与参数进行判断
         w:while(params.hasMoreElements()){

             String paramName = (String) params.nextElement();

             executable = true;

             //密码不过滤
             if(paramName.toLowerCase().contains("password")){
                 executable = false;
             }else{
                 //检查提交参数的名字，是否合法，即不过滤其提交的值
                 f:for(int i=0;i
                     if(legalNames[i].equals(paramName)){
                         executable = false;
                         break f;
                     }
                 }
             }

             if(executable){
                 String[] paramValues = req.getParameterValues(paramName);

                 f1:for(int i=0;i

                     String paramValue = paramValues[i];

                     f2:for(int j=0;j

                         illegalChar = illegalChars[j];

                         if(paramValue.indexOf(illegalChar) != -1){
                             illegalStatus = true;//非法状态
                             break f2;
                         }
                     }

                     if(illegalStatus){
                         break f1;
                     }

                 }
             }

             if(illegalStatus){
                 break w;
             }
         }
         //对URL进行判断
         for(int j=0;j

             illegalChar = illegalChars[j];

             if(tempURL.indexOf(illegalChar) != -1){
                 illegalStatus = true;//非法状态
                 break;
             }
         }
         if(illegalStatus){
             //必须手动指定编码格式
             res.setContentType("text/html;charset="+encoding);
             res.setCharacterEncoding(encoding);
             res.getWriter().print("window.alert('当前链接中存在非法字符');window.history.go(-1);");
         }else{
             filterChain.doFilter(request, response);
         }
     }

 }

web.xml code

 <filter>
         <filter-name>charFilterfilter-name>
         <filter-class>com.xxx.sys.filter.CharFilterfilter-class>
         <init-param>
             <param-name>encodingparam-name>
             <param-value>UTF-8param-value>
         init-param>
         <init-param>
             <param-name>legalNamesparam-name>
             <param-value>content1,ver,historyURL,listURLparam-value>
         init-param>
         <init-param>
             <param-name>illegalCharsparam-name>
             <param-value>|,$,@,',",\',\",<,>,(,),+,CR,LF,\",",\,httpparam-value>
         init-param>
     filter>