XSS 방어를 위한 보안필터를 만들어 적용할 수 있다.
RequestWrapper.java request를 가로채서 공격문자를 필터링할 메소드를 가진 클래스
|
package filter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public final class RequestWrapper extends HttpServletRequestWrapper {
public RequestWrapper(HttpServletRequest servletRequest){
super(servletRequest);
}
public String[] getParameterValues(String parameter){
String[] values = super.getParameterValues(parameter);
if(values == null){
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for(int i = 0; i < count; i++){
encodedValues[i] = XssFilterMethod(values[i]);
}
return encodedValues;
}
public String getParameter(String parameter){
String value = super.getParameter(parameter);
if(value == null){
return null;
}
return XssFilterMethod(value);
}
public String getHeader(String name){
String value = super.getHeader(name);
if(value == null){
return null;
}
return XssFilterMethod(value);
}
private String XssFilterMethod(String value){
System.out.println("input value :"+value);
//필요한 필터릴 룰셋을 추가
value = value.replaceAll("<", "<").replaceAll(">",">");
value = value.replaceAll("script", "");
System.out.println("Filtered value :"+value);
return value;
}
}
|
XssFilter.java 필터 설정 메소드
|
package filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class XssFilter implements Filter {
private FilterConfig filterConfig = null;
public void init(FilterConfig filterConfig) throws ServletException{
this.filterConfig = filterConfig;
}
public void destroy(){
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException{
chain.doFilter(new RequestWrapper((HttpServletRequest)request), response);
}
}
|
web.xml web.xml에 필터 설정(하기 빨간색 표시 부분)
|
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>StrutsIbatis</display-name>
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>
org.apache.struts.action.ActionServlet
</servlet-class>
<init-param>
<param-name>config</param-name>
<param-value>/WEB-INF/struts-config.xml</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>pagingIndex3.do</welcome-file>
</welcome-file-list>
<filter>
<filter-name>XssFilter</filter-name>
<filter-class>filter.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
|
* 필터 적용 테스트 페이지
filterTest1.jsp에서 filterTest_proc.jsp 로 전송되는 데이터에서 필터에 의해 replaceAll되는 메세지는 제거 되는것을 볼 수 있음.
filterTest1.jsp
|
<%@ page language="java" contentType="text/html; charset=EUC-KR"
pageEncoding="EUC-KR"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=EUC-KR">
<title>Insert title here</title>
</head>
<body>
<form method="post" action="filterTest_proc.jsp">
<input type="text" name="val1" size="50"/>
<input type="submit"/>
</form>
</body>
</html> |
filterTest_proc.jsp
|
<%@ page language="java" contentType="text/html; charset=EUC-KR"
pageEncoding="EUC-KR"%>
<%
out.println(request.getParameter("val1"));
%> |
전송페이지에서 <script>alert('test1');</script> 와 같이 xss 공격가능여부를 테스트해볼 스크립트 문자열을
보냈을때 Filter에서 이를 걸러서 script라는 문자열이 제거된 형태로 결과가 출력되는것을 볼 수 있다.
댓글