Java审计之XSS漏洞分析与防御<\/h1>

0x00 XSS漏洞概述<\/h2>

XSS(跨站脚本攻击)漏洞产生过程：后台未对用户输入进行检查或过滤，直接把用户输入返回至前端，导致JavaScript代码在客户端任意执行。<\/p>

在Java中，XSS通常表现为：<\/p>

接收未经过滤的参数共享到request域中<\/li>

在JSP页面里使用EL表达式直接输出这些参数<\/li> <\/ul>

0x01 Java中XSS漏洞代码分析<\/h2>

基础示例代码<\/h3>

Servlet代码(xssServlet.java):<\/strong><\/p>

@WebServlet<\/span>(<\/span>"\/demo"<\/span>)<\/span>
<\/span><\/span>public<\/span> class<\/span> xssServlet<\/span> extends<\/span> HttpServlet {<\/span>
<\/span><\/span>    protected<\/span> void<\/span> doPost<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> throws<\/span> ServletException,<\/span> IOException {<\/span>
<\/span><\/span>        this<\/span>.<\/span>doGet<\/span>(<\/span>request,<\/span>response);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    protected<\/span> void<\/span> doGet<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> throws<\/span> ServletException,<\/span> IOException {<\/span>
<\/span><\/span>        response.<\/span>setContentType<\/span>(<\/span>"text\/html"<\/span>);<\/span> \/\/ 设置响应类型
<\/span><\/span><\/span><\/span>        String content =<\/span> request.<\/span>getParameter<\/span>(<\/span>"content"<\/span>);<\/span> \/\/ 获取content传参数据
<\/span><\/span><\/span><\/span>        request.<\/span>setAttribute<\/span>(<\/span>"content"<\/span>,<\/span> content);<\/span> \/\/ content共享到request域
<\/span><\/span><\/span><\/span>        request.<\/span>getRequestDispatcher<\/span>(<\/span>"\/WEB-INF\/pages\/xss.jsp"<\/span>).<\/span>forward<\/span>(<\/span>request,<\/span> response);<\/span> \/\/ 转发到xss.jsp页面
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>JSP页面(xss.jsp):<\/strong><\/p>
<%@ page contentType="text\/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>Title<\/title>
    ${requestScope.content}
<\/head>
<body><\/body>
<\/html>
<\/code><\/pre>
漏洞验证<\/h3>
访问URL: http:\/\/localhost:8080\/untitled3_war_exploded\/demo?content=<script>alert("xss")<\/script><\/code><\/p>
审计要点<\/h3>

参数是否可控<\/li>
传入的参数是否会被过滤后共享到request域中<\/li>
如果在可控且不被过滤的情况下，很可能存在XSS漏洞<\/li>
<\/ol>
0x02 XSS防御策略<\/h2>
使用ESAPI进行防御<\/h3>
ESAPI介绍<\/strong>：

企业安全API(ESAPI)是OWASP项目，为Web平台创建简单强大的安全控件，可以应付大部分Web攻击漏洞。<\/p>
Maven依赖<\/strong>:<\/p>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.owasp.esapi<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>esapi<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>2.2.1.1<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>防御代码示例<\/strong>:<\/p>
@WebServlet<\/span>(<\/span>"\/demo"<\/span>)<\/span>
<\/span><\/span>class<\/span> xssServlet<\/span> extends<\/span> HttpServlet {<\/span>
<\/span><\/span>    protected<\/span> void<\/span> doGet<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> throws<\/span> ServletException,<\/span> IOException {<\/span>
<\/span><\/span>        response.<\/span>setContentType<\/span>(<\/span>"text\/html"<\/span>);<\/span>
<\/span><\/span>        String content =<\/span> request.<\/span>getParameter<\/span>(<\/span>"content"<\/span>);<\/span>
<\/span><\/span>        String s =<\/span> ESAPI.<\/span>encoder<\/span>().<\/span>encodeForJavaScript<\/span>(<\/span>content);<\/span> \/\/ 进行实体编码
<\/span><\/span><\/span><\/span>        request.<\/span>setAttribute<\/span>(<\/span>"content"<\/span>,<\/span> s);<\/span>
<\/span><\/span>        request.<\/span>getRequestDispatcher<\/span>(<\/span>"\/WEB-INF\/pages\/xss.jsp"<\/span>).<\/span>forward<\/span>(<\/span>request,<\/span> response);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x03 setAttribute中的XSS审计<\/h2>
审计步骤<\/h3>

全局搜索request.setAttribute<\/code>方法<\/li>
查看传值类型，跟踪到实体类<\/li>
关注实体类中String类型的变量<\/li>
跟踪调用链，查看是否有过滤<\/li>
追溯DAO层查看是否存入数据库<\/li>
<\/ol>
典型漏洞模式<\/h3>
\/\/ Controller
<\/span><\/span><\/span><\/span>String userInput =<\/span> request.<\/span>getParameter<\/span>(<\/span>"input"<\/span>);<\/span>
<\/span><\/span>request.<\/span>setAttribute<\/span>(<\/span>"output"<\/span>,<\/span> userInput);<\/span> \/\/ 未过滤直接共享到request域
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ JSP
<\/span><\/span><\/span><\/span>${<\/span>output}<\/span> \/\/ 直接输出
<\/span><\/span><\/span><\/code><\/pre>0x04 ModelAndView中的XSS审计<\/h2>
ModelAndView基础<\/h3>
ModelAndView是Spring MVC提供的模型和视图封装类，内部使用Map实现，视图解析器会将model中的每个元素通过request.setAttribute(name, value)<\/code>添加到request域中。<\/p>
常用方法<\/strong>:<\/p>

addObject(String attributeName, Object attributeValue)<\/code><\/li>
getModel().put("name", "value")<\/code><\/li>
<\/ol>
审计步骤<\/h3>

全局搜索new ModelAndView<\/code><\/li>
查看调用的方法，特别是addObject<\/code><\/li>
跟踪共享的值来源<\/li>
检查是否有过滤处理<\/li>
<\/ol>
典型漏洞模式<\/h3>
ModelAndView mav =<\/span> new<\/span> ModelAndView(<\/span>"page"<\/span>);<\/span>
<\/span><\/span>mav.<\/span>addObject<\/span>(<\/span>"data"<\/span>,<\/span> userInput);<\/span> \/\/ 未过滤直接添加
<\/span><\/span><\/span><\/code><\/pre>0x05 存储型XSS审计实战<\/h2>
审计流程<\/h3>

定位Controller中接收用户输入的方法<\/li>
跟踪Service层处理逻辑<\/li>
检查DAO层数据操作<\/li>
确认前端展示方式<\/li>
<\/ol>
关键点<\/h3>

关注所有String类型的字段<\/li>
检查数据流：输入→处理→存储→输出<\/li>
确认每个环节是否有过滤或编码<\/li>
<\/ul>
0x06 参考工具与技术<\/h2>

ESAPI<\/strong>: OWASP提供的企业安全API<\/li>
Lombok<\/strong>: 简化Java代码的插件<\/li>
MyBatis<\/strong>: 关注XML映射文件中的SQL语句<\/li>
JSP EL表达式<\/strong>: ${}<\/code>直接输出可能存在风险<\/li>
<\/ol>
0x07 总结<\/h2>
Java审计中XSS漏洞的关键点：<\/p>

输入点：request.getParameter()<\/code>等获取用户输入的方法<\/li>
处理过程：是否经过过滤或编码<\/li>
输出点：JSP中的EL表达式、JSTL标签等<\/li>
数据流：从输入到输出的完整路径<\/li>
<\/ol>
防御建议：<\/p>

对所有用户输入进行验证和过滤<\/li>
输出时进行HTML编码<\/li>
使用ESAPI等安全框架<\/li>
实施内容安全策略(CSP)<\/li>
<\/ol>

Java审计之XSS漏洞分析与防御<\/h1>

0x01 Java中XSS漏洞代码分析<\/h2>

漏洞验证<\/h3> 访问URL: http:\/\/localhost:8080\/untitled3_war_exploded\/demo?content=<script>alert("xss")<\/script><\/code><\/p>

0x02 XSS防御策略<\/h2>

0x03 setAttribute中的XSS审计<\/h2>

0x04 ModelAndView中的XSS审计<\/h2>

0x05 存储型XSS审计实战<\/h2>

漏洞验证<\/h3>
访问URL: `http:\/\/localhost:8080\/untitled3_war_exploded\/demo?content=<script>alert("xss")<\/script><\/code><\/p>`