XSS 방어를 위한 보안필터를 만들어 적용할 수 있다.
RequestWrapper.java request를 가로채서 공격문자를 필터링할 메소드를 가진 클래스
package filter;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper;
public final class RequestWrapper extends HttpServletRequestWrapper { public RequestWrapper(HttpServletRequest servletRequest){ super(servletRequest); } public String[] getParameterValues(String parameter){ String[] values = super.getParameterValues(parameter); if(values == null){ return null; } int count = values.length; String[] encodedValues = new String[count]; for(int i = 0; i < count; i++){ encodedValues[i] = XssFilterMethod(values[i]); } return encodedValues; } public String getParameter(String parameter){ String value = super.getParameter(parameter); if(value == null){ return null; } return XssFilterMethod(value); } public String getHeader(String name){ String value = super.getHeader(name); if(value == null){ return null; } return XssFilterMethod(value); } private String XssFilterMethod(String value){ System.out.println("input value :"+value);
//필요한 필터릴 룰셋을 추가 value = value.replaceAll("<", "<").replaceAll(">",">"); value = value.replaceAll("script", "");
System.out.println("Filtered value :"+value); return value; } }
|
XssFilter.java 필터 설정 메소드
package filter;
import java.io.IOException;
import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest;
public class XssFilter implements Filter { private FilterConfig filterConfig = null;
public void init(FilterConfig filterConfig) throws ServletException{ this.filterConfig = filterConfig; } public void destroy(){ this.filterConfig = null; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException{ chain.doFilter(new RequestWrapper((HttpServletRequest)request), response); } }
|
web.xml web.xml에 필터 설정(하기 빨간색 표시 부분)
<?xml version="1.0" encoding="UTF-8"?> <web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <display-name>StrutsIbatis</display-name> <servlet> <servlet-name>action</servlet-name> <servlet-class> org.apache.struts.action.ActionServlet </servlet-class> <init-param> <param-name>config</param-name> <param-value>/WEB-INF/struts-config.xml</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>action</servlet-name> <url-pattern>*.do</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>pagingIndex3.do</welcome-file> </welcome-file-list> <filter> <filter-name>XssFilter</filter-name> <filter-class>filter.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>XssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>
|
* 필터 적용 테스트 페이지
filterTest1.jsp에서 filterTest_proc.jsp 로 전송되는 데이터에서 필터에 의해 replaceAll되는 메세지는 제거 되는것을 볼 수 있음.
filterTest1.jsp
<%@ page language="java" contentType="text/html; charset=EUC-KR" pageEncoding="EUC-KR"%> <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=EUC-KR"> <title>Insert title here</title> </head> <body> <form method="post" action="filterTest_proc.jsp"> <input type="text" name="val1" size="50"/> <input type="submit"/> </form> </body> </html> |
filterTest_proc.jsp
<%@ page language="java" contentType="text/html; charset=EUC-KR" pageEncoding="EUC-KR"%> <% out.println(request.getParameter("val1")); %> |
전송페이지에서 <script>alert('test1');</script> 와 같이 xss 공격가능여부를 테스트해볼 스크립트 문자열을
보냈을때 Filter에서 이를 걸러서 script라는 문자열이 제거된 형태로 결과가 출력되는것을 볼 수 있다.
댓글