Filter defense xss of Java audit

0x00 Preface

This paper considers some small details of audit from the perspectives of attack and defense. In the xss audit in the previous two articles, one important point is missing, which is the Filter. It is said that the first step of Java audit is to look at the web first XML, you can see which frameworks the cms uses for development. The second is to see if it has some configured filters.

Audit article:

XSS of Java audit

xss audit points of Java audit

0x01 Filter defense xss

The content of the filter has been mentioned in the Java learning series.

Filter and Listener in Java learning

A concept needs to be clear here. Filters can be used in any framework, and interceptors are unique to Spring MVC.

The filter needs to be configured on the web XML, and the interceptor will be configured in springmvc XML file.

This leads to why we should look at the web XML file.

Let's look at the picture below

This is an addition, deletion, modification and query page written by myself with ssm. Click Add to directly add an xss Payload in the eamil location.

Found that the frame has been popped. There is no processing in the code.

If xss is to be prevented, the previous audit article also mentioned the use of a class to process the received parameters from output or output. However, if developers do not pay attention to a point and forget to process it, the vulnerability will still exist. Moreover, each output and input must be processed, and the operation is cumbersome. To solve this problem, we can use the filter mentioned here for a global filter.

On the web Configuration in XML

web.xml file:

<filter>
    <filter-name>xssFilter</filter-name>
    <filter-class>com.test.filter.xssFiler</filter-class>
  </filter>
  <!-- solve xss loophole -->
  <filter-mapping>
    <filter-name>xssFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

filter code:

package com.test.filter;


import com.test.utils.XssFilterWrapper;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

/**
 * Function: Xss filter
 * Author: Tiddler
 * Time: 10:21, November 11, 2018
 * Class name: XssFilter
 **/
public class xssFiler implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        //Use wrapper
        System.out.println("Filter executed");
        XssFilterWrapper xssFilterWrapper=new XssFilterWrapper((HttpServletRequest) servletRequest);
        filterChain.doFilter(xssFilterWrapper,servletResponse);
    }

    @Override
    public void destroy() {

    }
}

XssFilterWrapper Code:

package com.test.utils;


import org.springframework.web.util.HtmlUtils;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

/**
 * Function: anti Xss filter [wrapper]
 * Author: Tiddler
 * Time: 10:20, November 11, 2018
 * Class name: XssFilterWrapper
 **/
public class XssFilterWrapper extends HttpServletRequestWrapper {
    public XssFilterWrapper(HttpServletRequest request) {
        super(request);
    }
    /**
     * Special character filtering for array parameters
     */
    @Override
    public String[] getParameterValues(String name) {
        if("content".equals(name)){//Parameters that do not want to be filtered. Here, the content parameter is rich text content
            return super.getParameterValues(name);
        }
        String[] values = super.getParameterValues(name);
        String[] newValues = new String[values.length];
        for (int i = 0; i < values.length; i++) {
            newValues[i] = HtmlUtils.htmlEscape(values[i]);//Escape HtmlUtils of spring
        }
        return newValues;
    }

}

After xss is inserted, it is not executed, but directly output.

In the code, print all the entered values. It is found that in the email value, it has actually been entity coded.

0x02 some small thoughts

After knowing that the Filter can prevent XSS, if the audit code finds that there is no Filter in the call, it may be that the Filter filter is used for global filtering. This may lead to a problem, that is, the probability of XSS in java may be low. If they can be filtered globally directly, why use complex methods to Filter one by one? Of course, there will be special cases. For example, if you want to take a value but don't want to be encoded by an entity, you have to call another method to process the value. Let's take a look at a case of XssFilterWrapper code.

 if("content".equals(name)){//Parameters that do not want to be filtered. Here, the content parameter is rich text content
            return super.getParameterValues(name);
        }

If the content parameter is taken here and this parameter is unprocessed, xss may still exist.

Reference articles

https://blog.csdn.net/qq_31384551/article/details/83956681
https://www.cnblogs.com/hero123/p/9091625.html

0x03 end

At the end, stick a picture!