1.在resource目錄下新增配置文件?ESAPI.properties 和validation.properties

?ESAPI.properties

# 是否要打印配置屬性,默認(rèn)為true

ESAPI.printProperties=true

ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController

ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator

ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder

ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor

ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor

ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities

ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector

ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory

ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer

ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator

#===========================================================================

# ESAPI Encoder

Encoder.AllowMultipleEncoding=false

Encoder.AllowMixedEncoding=false

Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec

#===========================================================================

# ESAPI 加密模塊

Encryptor.PreferredJCEProvider=

Encryptor.EncryptionAlgorithm=AES

Encryptor.CipherTransformation=AES/CBC/PKCS5Padding

Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC

Encryptor.cipher_modes.additional_allowed=CBC

Encryptor.EncryptionKeyLength=128

Encryptor.ChooseIVMethod=random

Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f

Encryptor.CipherText.useMAC=true

Encryptor.PlainText.overwrite=true

Encryptor.HashAlgorithm=SHA-512

Encryptor.HashIterations=1024

Encryptor.DigitalSignatureAlgorithm=SHA1withDSA

Encryptor.DigitalSignatureKeyLength=1024

Encryptor.RandomAlgorithm=SHA1PRNG

Encryptor.CharacterEncoding=UTF-8

Encryptor.KDF.PRF=HmacSHA256

#===========================================================================

# ESAPI Http工具

HttpUtilities.UploadDir=C:\\ESAPI\\testUpload

HttpUtilities.UploadTempDir=C:\\temp

# Force flags on cookies, if you use HttpUtilities to set cookies

HttpUtilities.ForceHttpOnlySession=false

HttpUtilities.ForceSecureSession=false

HttpUtilities.ForceHttpOnlyCookies=true

HttpUtilities.ForceSecureCookies=true

# Maximum size of HTTP headers

HttpUtilities.MaxHeaderSize=4096

# File upload configuration

HttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll

HttpUtilities.MaxUploadFileBytes=500000000

# Using UTF-8 throughout your stack is highly recommended. That includes your database driver,

# container, and any other technologies you may be using. Failure to do this may expose you

# to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization.

HttpUtilities.ResponseContentType=text/html; charset=UTF-8

# This is the name of the cookie used to represent the HTTP session

# Typically this will be the default "JSESSIONID"

HttpUtilities.HttpSessionIdName=JSESSIONID

#===========================================================================

# ESAPI Executor

Executor.WorkingDirectory=

Executor.ApprovedExecutables=

#===========================================================================

# ESAPI Logging

# Set the application name if these logs are combined with other applications

Logger.ApplicationName=ExampleApplication

# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true

Logger.LogEncodingRequired=false

# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.

Logger.LogApplicationName=true

# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.

Logger.LogServerIP=true

# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you

# want to place it in a specific directory.

Logger.LogFileName=ESAPI_logging_file

# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)

Logger.MaxLogFileSize=10000000

#===========================================================================

# ESAPI Intrusion Detection

IntrusionDetector.Disable=false

IntrusionDetector.event.test.count=2

IntrusionDetector.event.test.interval=10

IntrusionDetector.event.test.actions=disable,log

IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1

IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1

IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout

IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10

IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5

IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout

IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2

IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10

IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout

#===========================================================================

# ESAPI 校驗(yàn)器

#校驗(yàn)器的配置文件

Validator.ConfigurationFile=validation.properties

# Validators used by ESAPI

Validator.AccountName=^[a-zA-Z0-9]{3,20}$

Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$

Validator.RoleName=^[a-z]{1,20}$

#the word TEST below should be changed to your application

#name - only relative URL's are supported

Validator.Redirect=^\\/test.*$

# Global HTTP Validation Rules

# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]

Validator.HTTPScheme=^(http|https)$

Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$

Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$

Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=@_ ]*$

Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$

Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$

# Note that max header name capped at 150 in SecurityRequestWrapper!

Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,50}$

Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$

Validator.HTTPContextPath=^\\/?[a-zA-Z0-9.\\-\\/_]*$

Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$

Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$

Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$

Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$

Validator.HTTPURL=^.*$

Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$

# Validation of file related input

Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$

Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$

# Validation of dates. Controls whether or not 'lenient' dates are accepted.

# See DataFormat.setLenient(boolean flag) for further details.

Validator.AcceptLenientDates=false

validation.properties

# 校驗(yàn)?zāi)硞€(gè)字段的正則表達(dá)式

Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$

Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$

Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$

Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$

Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$

Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$

新增依賴

<!-- 預(yù)防XSS攻擊工具 -->

<dependency>

<groupId>org.owasp.esapi</groupId>

<artifactId>esapi</artifactId>

<version>2.1.0</version>

</dependency>

<dependency>

<groupId>org.jsoup</groupId>

<artifactId>jsoup</artifactId>

<version>1.9.2</version>

</dependency>

在web-xml中新增配置

<!-- URL請(qǐng)求參數(shù)字符過濾或合法性校驗(yàn) -->

<filter>

<filter-name>XssFilter</filter-name>

<filter-class>com.zl.xssFilter.XssFilter</filter-class>

</filter>

<filter-mapping>

<filter-name>XssFilter</filter-name>

<url-pattern>/*</url-pattern>

<dispatcher>REQUEST</dispatcher>

<dispatcher>FORWARD</dispatcher>

</filter-mapping>

新增xssFilter

import org.apache.commons.logging.Log;

import org.apache.commons.logging.LogFactory;

import javax.servlet.*;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import java.io.IOException;

/**

* xss攻擊防護(hù)過濾器

*

* @author xuanwenhao

* @email 836786010@qq.com

* 時(shí)間 ：? 2019年6月25日

*/

public class XssFilterimplements Filter {

private static Loglog = LogFactory.getLog(XssFilter.class);

FilterConfigfilterConfig =null;

@Override

? ? public void init(FilterConfig filterConfig)throws ServletException {

this.filterConfig = filterConfig;

}

@Override

? ? public void doFilter(ServletRequest req,

ServletResponse res, FilterChain chain)

throws IOException, ServletException {

HttpServletRequest request = (HttpServletRequest) req;

HttpServletResponse response = (HttpServletResponse) res;

log.info("進(jìn)入XSS過濾器............");

chain.doFilter(new XssHttpServletRequestWrapper(request), response);

log.info("過濾器XSS執(zhí)行完......................");

}

@Override

? ? public void destroy() {

this.filterConfig =null;

}

}

新增 XssHttpServletRequestWrapper

import java.util.Map;

import java.util.Set;

import java.util.regex.Pattern;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletRequestWrapper;

import org.apache.commons.logging.Log;

import org.apache.commons.logging.LogFactory;

/**

* xss攻擊防護(hù)過濾器

*

* @author xuanwenhao

* @email 836786010@qq.com

* 時(shí)間 ：? 2019年6月25日

*/

public class XssHttpServletRequestWrapperextends HttpServletRequestWrapper {

private static Loglog = LogFactory.getLog(XssHttpServletRequestWrapper.class);

public XssHttpServletRequestWrapper(HttpServletRequest request) {

super(request);

}

/**

? ? * 對(duì)數(shù)組參數(shù)進(jìn)行特殊字符過濾

? ? */

? ? @Override

? ? public String[] getParameterValues(String name) {

String[] values =super.getParameterValues(name);

if (values ==null) {

return null;

}

int count = values.length;

String[] encodedValues =new String[count];

for (int i =0; i < count; i++) {

encodedValues[i] = cleanXSS(values[i]);

}

return encodedValues;

}

/**

? ? * 對(duì)參數(shù)中特殊字符進(jìn)行過濾

? ? */

? ? @Override

? ? public String getParameter(String name) {

String value =super.getParameter(name);

if (value ==null) {

return null;

}

return cleanXSS(value);

}

/**

? ? * 對(duì)集合參數(shù)進(jìn)行特殊字符過濾

? ? */

? ? @Override

? ? public Map getParameterMap() {

Map reqMap =super.getParameterMap();

Set set = reqMap.keySet();

for (Object s : set) {

//? ? ? ? ? ? ? Object t =((String[]) reqMap.get(s))[0];

//? ? ? ? ? ? ? Object o = cleanXSS((String) t);

//? ? ? ? ? ? ? t=o;

? ? ? ? ? ? String[] arr = (String[]) reqMap.get(s);

for (int i =0; i < arr.length; i++) {

String str = arr[i];

arr[i] = cleanXSS(str);

}

}

return reqMap;

}

private String cleanXSS(String value) {

log.info("過濾前傳遞參數(shù)：" + value);

if (value !=null) {

/**

? ? ? ? ? ? //推薦使用ESAPI庫來避免腳本攻擊,value = ESAPI.encoder().canonicalize(value); // 避免空字符串

? ? ? ? ? ? value = value.replaceAll(" ", "");

**/

//value = ESAPI.encoder().canonicalize(value);

? ? ? ? ? ? // 避免script 標(biāo)簽

? ? ? ? ? ? Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);

value = scriptPattern.matcher(value).replaceAll("");

// 避免src形式的表達(dá)式

? ? ? ? ? ? scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

// 刪除單個(gè)的 </script> 標(biāo)簽

? ? ? ? ? ? scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);

value = scriptPattern.matcher(value).replaceAll("");

// 刪除單個(gè)的<script ...> 標(biāo)簽

? ? ? ? ? ? scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

// 避免 eval(...) 形式表達(dá)式

? ? ? ? ? ? scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

// 避免 e-xpression(...) 表達(dá)式

? ? ? ? ? ? scriptPattern = Pattern.compile("e-xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

// 避免 javascript: 表達(dá)式

? ? ? ? ? ? scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);

value = scriptPattern.matcher(value).replaceAll("");

// 避免 vbscript:表達(dá)式

? ? ? ? ? ? scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);

value = scriptPattern.matcher(value).replaceAll("");

// 避免 onload= 表達(dá)式

? ? ? ? ? ? scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

//移除特殊標(biāo)簽

? ? ? ? ? ? value = value.replaceAll("<","&lt;").replaceAll(">","&gt;");

// 避免 onXX= 表達(dá)式

? ? ? ? ? ? scriptPattern = Pattern.compile("on.*(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

}

log.info("過濾后傳遞參數(shù)：" + value);

return value;

}

}