防止SQL注入攻击的方法& Java Web应用程序中的XSS [英] Ways to prevent SQL Injection Attack & XSS in Java Web Application

问题描述

我正在编写一个java类，它将由servlet过滤器调用，并检查基于Struts的java Web应用程序的注入攻击尝试和XSS。 InjectionAttackChecker类使用正则表达式和java.util.regex.Pattern类根据正则表达式中指定的模式验证输入。

I'm writing a java class which would be invoked by a servlet filter and which checks for injection attack attempts and XSS for a java web application based on Struts. The InjectionAttackChecker class uses regex & java.util.regex.Pattern class to validate the input against the patterns specified in regex.

有了这个说法，我有以下问题：

With that said, I have following questions:

1. 所有特殊字符和字符模式（例如<>，。， - ，< =，==，> =应该被阻止以防止注射攻击。


2. 我可以使用现有的正则表达式模式吗？


3. 我必须在某些特定情况下允许一些特殊字符模式，一些示例值（允许）是（使用'pipe'|字符作为不同值的分隔符）* Atlanta | ＃654，BLDG 8＃501 |单纯疱疹：慢性溃疡（> 1个月的持续时间）或支气管炎，肺炎或食道炎FUNC& COMP（date_cmp），NDI& MALKP& HARS_IN（icd10，yes）。我应该采取什么策略，以便可以防止注射攻击和XSS，但仍然允许这些字符模式。

1. What all special characters and character patterns (for example <>, ., --, <=, ==,>=) should be blocked so that injection attack could be prevented.
2. Is there any existing regex pattern which I could use as is?
3. I have to allow some of the special character patterns in some specific cases, some example values (to be allowed) are (used 'pipe' | character as a separator of different values) *Atlanta | #654,BLDG 8 #501 | Herpes simplex: chronic ulcer(s) (>1 mo. duration) or bronchitis, pneumonitis, or esophagitis | FUNC & COMP(date_cmp), "NDI & MALKP & HARS_IN(icd10, yes)" . What strategy should I adopt so that injection attack and XSS could be prevented but still allowing these character patterns.

我希望我已经提到了问题清楚。但如果我没有，我道歉只是我的第二个问题。如果需要澄清，请告诉我。

I hope I have mentioned the question clearly. But if I didn't, I apologize as its just my 2nd question. Please let me know if any clarification is needed.

推荐答案

根据您的问题，我假设您正在尝试过滤错误值。我个人认为这种方法可以非常快速地变得非常复杂，并建议将编码值作为替代方法。这篇关于这个主题的IBM文章列出了这两种方法的优点和缺点， http://www.ibm.com/developerworks/tivoli/library/s-csscript/ 。

Based on your questions I am assuming you are attempting to filtering bad values. I personally feel that this method can get very complex very quickly and would recommend encoding values as an alternate method. Here is an IBM article on the subject that lays out the pros and cons of both methods, http://www.ibm.com/developerworks/tivoli/library/s-csscript/.

为避免SQL注入攻击，只需使用预准备语句而不是创建SQL字符串。

To avoid SQL injection attacks just use prepared statements instead of creating SQL strings.

这篇关于防止SQL注入攻击的方法&amp; Java Web应用程序中的XSS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！