如何在没有 SpringBoot 的情况下为 Spring MVC 4 应用程序阻止或防止 XSS [英] How to block or protect against XSS for Spring MVC 4 applications without SpringBoot

问题描述

您如何保护和清理采用原始 JSON 主体并通常输出 JSON 响应且不使用 Spring Boot 的应用程序.我只看到了一个可能有效并使用 JsonComponent 的好例子.如果我们不使用 jsoncomponent，如何从整个 JSON 请求正文中过滤掉一个请求以删除错误的跨站点脚本标记?此外，检测请求正文中的 XSS 标记并抛出错误也是可以的.

How do you protect, sanitize applications that take raw JSON bodies and typically output JSON responses and don't use Spring Boot. I only saw one good example that might work and used JsonComponent. If we don't use jsoncomponent, how to filter out a request to remove bad cross site scripting tags from a the entire JSON request body? Also, it would be OK to detect XSS tags in the request body and throw an error.

还要寻找一种全球解决方案，可以保护 JSON 请求的所有输入/输出，并将该代码添加到一个区域.我们可以使用 JSR bean 验证，但我们必须点击所有定义的属性和变量.

Also looking for a global solution that might protect all input/output of JSON requests and add that code in one area. We could use JSR bean validation but we would have to hit all of the define properties and variables.

是否还可以查看包含脚本标签的数据的 JSON 有效负载.

Is it possible to also look at the JSON payload for data which could include script tags.

推荐答案

首先，漏洞防护的概念与SpringBoot无关，XSS就是其中之一.

First of all , concept to protect against vulnerabilities has nothing to do with SpringBoot and XSS is one of those vulnerabilities.

通过实施 org.springframework.web.filter.OncePerRequestFilter 并根据您使用的顶级框架来保护此漏洞你有什么样的应用程序 - 过滤注册 &必须执行链接过程.

This vulnerability is protected by implementing a org.springframework.web.filter.OncePerRequestFilter and depending on which top framework you use & what kind of app you have - filter registration & chaining process has to be implemented.

想法是简单地清理每个传入的 JSON 主体 &使用经过消毒的请求正文调用链中的下一个过滤器.

Idea is to simply sanitize every incoming JSON body & call next filter in chain with sanitized request body.

如果您有一个基于 Spring 的项目，您应该首先尝试使用 Spring Security 依赖项并启用默认安全功能.参考这个问题

If you have a Spring based project, you should first try to use Spring Security dependencies and enable default security features. refer this question

对于由 spring security 提供的 xss 保护，他们有此免责声明 -

For xss protection , offered by spring security they have this disclaimer -

注意这不是全面的 XSS 保护！

Note this is not comprehensive XSS protection!

就我而言，我编写了一个自定义 XSS 保护过滤器实现 - org.springframework.web.filter.OncePerRequestFilter

In my case, I wrote a custom XSS protection filter implementing - org.springframework.web.filter.OncePerRequestFilter

在这个过滤器中 - 我使用了这个 API ，

In this filter- I have used this API ,

<dependency>
            <groupId>org.owasp.esapi</groupId>
            <artifactId>esapi</artifactId>
</dependency>

在我的代码中，我列出了可能的攻击模式，但我想可能有更好的方法来做到这一点.

In my code , I have listed down possible attack patterns but I guess there might be better way to do it.

在 SO 上参考这两个以了解更多我在说什么 - XSS 过滤器删除所有脚本 &如何在 Jersey 2 中修改 QueryParam 和 PathParam

Refer these two on SO to know more as what I am talking about - XSS filter to remove all scripts & How to Modify QueryParam and PathParam in Jersey 2

Melardev 的回答解释了 @RequestParam 的唯一情况 &当它是 JSON 主体时，您必须扩展该方法来处理这种情况.我已经处理了 json 主体的情况，但由于公司版权而无法共享我的代码.

Answer by Melardev is explaining the only case for @RequestParam & you have to extend that approach to handle the case when its a JSON body. I have handled the case of a json body but can't share my code due to company copy right .

这篇关于如何在没有 SpringBoot 的情况下为 Spring MVC 4 应用程序阻止或防止 XSS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！