我正在尝试对我的Spring Boot项目实施XSS过滤器(启用了oAuth2 Spring安全性的Authentication Server(用于My API网关))
我对身份验证服务器进行了漏洞评估,发现可以对我的应用程序进行xss攻击。之后,我编写了一个XSS过滤器来过滤不受信任的恶意代码。但是我不知道如何将此过滤器添加到javascript中,而我想做的是正确的方法?
任何人都可以指导我执行此过滤过程,或者有其他最佳选择可以做到这一点。
我的WebMvcConfigurerAdapter
WebMvcConfigurerAdapter对于“过滤器”任务,我正在使用@Configuration
public class OAuthWebFormConfiguration extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
registry.addViewController("/oauth/confirm_access").setViewName("authorize");
}
@Configuration
@Order(-20)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthenticationManager customAuthenticationManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().loginPage("/login").permitAll()
.and()
.requestMatchers()
.antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.csrf()
.csrfTokenRepository(cookieCsrfTokenRepository())
.and()
.headers()
.frameOptions().sameOrigin()
.xssProtection().xssProtectionEnabled(true);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/assets/**");
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(customAuthenticationManager);
}
private CookieCsrfTokenRepository cookieCsrfTokenRepository() {
CookieCsrfTokenRepository csrfTokenRepository = new CookieCsrfTokenRepository();
csrfTokenRepository.setCookieHttpOnly(true);
return csrfTokenRepository;
}
}
}
和javax.servlet.Filter
文件管理器:
HttpServletRequestWrapper}
RequestWrapper:
public class CrossSiteScriptingXSSFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
chain.doFilter(new CrossSiteScriptingXSSRequestWrapper((HttpServletRequest) request), response);
}