CN117424723A - Method and system for preventing xss attack based on custom annotation - Google Patents
Method and system for preventing xss attack based on custom annotation Download PDFInfo
- Publication number
- CN117424723A CN117424723A CN202311296008.2A CN202311296008A CN117424723A CN 117424723 A CN117424723 A CN 117424723A CN 202311296008 A CN202311296008 A CN 202311296008A CN 117424723 A CN117424723 A CN 117424723A
- Authority
- CN
- China
- Prior art keywords
- configuration
- custom
- xss
- request
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000001914 filtration Methods 0.000 claims description 13
- 230000000694 effects Effects 0.000 claims description 5
- 238000012795 verification Methods 0.000 claims description 4
- 230000007123 defense Effects 0.000 claims description 3
- 230000002265 prevention Effects 0.000 abstract description 4
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 238000013515 script Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Stored Programmes (AREA)
Abstract
The invention relates to the technical field of web application, in particular to a method and a system for preventing xss attack based on custom annotation, which comprises the following steps: initializing configuration, wherein the required configuration is obtained from a configuration center; the custom annotation supports checking all interface parameters or specified interface parameters; initializing xss a tag white list, and acquiring required tag configuration from a configuration center; when the global effective configuration is true, the global filter is effective, and when the global effective configuration is false, the custom annotation is effective; the beneficial effects are as follows: according to the method and the system for preventing XSS attack based on the custom annotation, the XSS attack prevention realization code is extracted into the independent jar packet, and XSS attack prevention can be realized only by introducing dependence and configuration in service. Meanwhile, the xss protection of all interfaces and the xss protection function of a specific interface are provided, the implementation is simple and the invasiveness is small, and when the requirement of modifying rules is met, the jar package code is only required to be modified and reissued to be effective.
Description
Technical Field
The invention relates to the technical field of web application, in particular to a method and a system for preventing xss attack based on custom annotation.
Background
XSS (Cross Site Scripting), cross-site scripting attack, is a common type of computer security vulnerability in Web applications. Malicious attackers embed malicious scripts into the Web page, and when a user browses the Web page, the scripts are executed on the browser of the user, so that the purpose of the attacker is achieved, and the malicious script codes are usually JavaScript, but sometimes can also comprise Java, VBScript, activeX, flash or even ordinary HTML. Once an attack is successful, it is possible for an attacker to obtain various content including, but not limited to, higher rights (e.g., operations requiring high rights may be performed), private web content, sessions, and acquisition cookies.
In the prior art, the technology for preventing XSS attack by the back end of the web commonly comprises two types of black-and-white list filtering and special character escape.
(1) The black and white list filtering is to filter the content input by the user into a black list or a white list. Is to perform reliable input verification of user submitted content. The blacklist filtering mainly comprises the steps of putting high-risk labels such as < script >, < iframe > and the like into a blacklist, acquiring parameters when a user submits a request, judging whether the parameters contain high-risk label keywords in the blacklist, and if so, replacing or reporting the high-risk label keywords, wherein the method is simple to realize, but in view of the diversity of attack modes of attackers, the blacklist mode is difficult to configure to contain all attack labels, so that the attack is caused, and in addition, the mode is inflexible, so that the method is not applicable to a formal production environment; the white list filtering only allows the labels in the white list to pass through, and if the labels in the white list are not replaced or reported by mistake, but if the white list is not configured fully, false alarm can be caused, the white list of the third party open source xss is generally adopted at present, the implementation mode is simpler, and the interface for submitting the parameters is rich text is particularly suitable.
(2) Special character escape. The content submitted by the user is subjected to special character escape, such as escaping the tags of < script >, < iframe > to < script > (1) iframe ] . The usual escape method is htmlencode. The method is simple to realize, can defend most xss attacks, and can cause rich text failure after escape when rich text parameters of complete html semantics are needed to be displayed, such as pictures, fonts with patterns and the like are needed to be displayed.
Disclosure of Invention
The invention aims to provide a method and a system for preventing xss attack based on custom annotations, which are used for solving the problems in the background art.
In order to achieve the above purpose, the present invention provides the following technical solutions: a method of preventing xss attacks based on custom annotations, the method comprising the steps of:
initializing configuration, wherein the required configuration is obtained from a configuration center;
the custom annotation supports checking all interface parameters or specified interface parameters;
initializing xss a tag white list, and acquiring required tag configuration from a configuration center;
when the global validity is configured as true, the global filter is effective, and when the global validity is configured as false, the custom annotation is effective.
Preferably, the configuration required by the initialization configuration comprises whether the configuration is globally valid, an XSS tag white list and an intercepted request mode, and the request mode is an http request mode.
Preferably, the custom annotation can be configured on the interface, and the value is configured as 'all', namely all parameters of the check interface; and (3) configuring the value as a specific interface parameter name, acquiring a request parameter list in the httpServletRequest, acquiring a corresponding parameter value according to the configured parameter name, and checking.
Preferably, the xss tag whitelist includes, but is not limited to, "a", "b", "br", "div" html tags, including, but not limited to, "style", "align", "width", "title" tag attributes, including, but not limited to "ftp", "http", "https" protocols.
Preferably, when the global filter is in effect, the filtering steps are as follows:
(1) Judging whether the global effective configuration is true control global filter initialization or not through SpringBoot annotation @ Condition OnProperty;
(2) After receiving a user request, if a request method is in a configured request mode, the global filter is effective, and information such as the request method, an interface method name, an out-of-participation parameter and the like is obtained;
(3) And traversing the request parameter list, judging whether the parameter value is in the white list, if so, passing, and if not, returning failure or filtering the high-risk label.
Preferably, the custom annotation is validated as follows:
(1) Judging whether the global effective configuration is false or not by the SpringBoot annotation @ Condition OnProperty to control the initialization of the AOP section;
(2) After receiving a user request, if a request method is in a configured request mode and a self-defined annotation is configured on an interface method, the AOP section logic is validated, and the request method, the interface method name and the out-of-participation parameter information are acquired;
(3) Judging whether all interface parameters are checked or specific parameters are checked according to the value of the custom annotation, if so, checking all the parameter values, traversing a request parameter list, judging whether the parameter values are in a white list, if so, passing, and if not, returning failure or filtering high-risk labels; if the parameter is a specific parameter, acquiring a corresponding parameter value through a request parameter list, performing white list verification on the parameter value, and returning a result.
A system for preventing xss attack based on custom annotations, which consists of custom jar packets, global filters, custom annotations, AOP sections, xss tag whitelists and custom configurations;
the custom jar packet mode is introduced, and XSS attack defense is realized through a global filter or custom annotation and AOP.
Preferably, the xss tab whitelist includes, but is not limited to, a third party open source whitelist using Jso, anti-Samy.
Compared with the prior art, the invention has the beneficial effects that:
according to the method and the system for preventing XSS attack based on the custom annotation, the XSS attack prevention realization code is extracted into the independent jar packet, and XSS attack prevention can be realized only by introducing dependence and configuration in service. Meanwhile, the xss protection of all interfaces and the xss protection function of a specific interface are provided, the implementation is simple and the invasiveness is small, and when the requirement of modifying rules is met, the jar package code is only required to be modified and reissued to be effective.
Drawings
FIG. 1 is a schematic diagram of the system initialization of the present invention;
FIG. 2 is a diagram of a system architecture of the present invention;
FIG. 3 is a global interceptor workflow of the present invention;
FIG. 4 is a flow chart of the custom annotation workflow of the present invention.
Detailed Description
In order to make the objects, technical solutions, and advantages of the present invention more apparent, the embodiments of the present invention will be further described in detail with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are some, but not all, embodiments of the present invention, are intended to be illustrative only and not limiting of the embodiments of the present invention, and that all other embodiments obtained by persons of ordinary skill in the art without making any inventive effort are within the scope of the present invention.
Example 1
Referring to fig. 1 to 4, the present invention provides a technical solution: a method and system for preventing XSS attack based on custom annotations comprises custom jar packages, global filters, custom annotations, AOP cut planes, XSS label whitelists and custom configurations, wherein the XSS label whitelists comprise but are not limited to third party open source whitelists such as Jso, anti-Samy and the like.
The implementation mode is that the custom jar packet mode is introduced, and the XSS attack defense is realized through a global filter or custom annotation and AOP.
When the configuration is initialized, the required configuration is obtained from a configuration center, and the main configuration comprises whether the configuration is globally valid, an XSS label white list, an interception request mode and the like. The request mode is an http request mode, such as GET, POST, PUT, and is used for judging which request modes need to be intercepted; the global effective configuration mainly acts on the effective range of the configuration, if the value is true or false, the interfaces of all the request modes of the configuration are intercepted, and if the value is false, only the interfaces with the custom comments are intercepted. The XSS tag whitelist configuration is a list of tags required for the XSS whitelist.
Custom annotations support checking all interface parameters or specified interface parameters. The custom annotation can be configured on the interface, and the value is configured as 'all', namely all parameters of the interface are checked; configuring value as a specific interface parameter name, acquiring a request parameter list in httpServletRequest, acquiring a corresponding parameter value according to the configured parameter name, and checking; meanwhile, the custom annotation supports configuration of a plurality of specific parameter names, different parameter names are separated by English commas, and common annotation patterns are as follows: the @ xscontroller (value= "all") is the total parameter value that needs to be checked for the interface, or the @ xscontroller (value= "problemDesc, dealDesc") is the parameter value that checks for problemDesc and dealDesc parameter value in the interface.
Upon initializing the xss whitelist, the required tag configuration is obtained from the configuration center; after the initialization is finished, the white list is automatically validated after the corresponding configuration of the configuration center is modified again.
White list tags include, but are not limited to, html tags such as "a", "b", "br", "div", etc., tag attributes such as, but not limited to, "style", "align", "width", "title", etc., protocols such as, but not limited to, "ftp", "http", "https", etc.
The global filter initialization and the AOP section initialization are mutually exclusive, namely when the global effective configuration is true, the global filter takes effect; when configured as false, the custom annotation takes effect.
When the global filter is effective, the filtering steps are as follows:
(1) Judging whether the global effective configuration is true or not through SpringBoot annotation @ Condition OnProperty, and controlling whether the global filter is initialized or not.
(2) After receiving the user request, if the request method is in the configured request mode, the global filter is effective, and the information such as the request method, the interface method name, the out-participation and the like can be obtained
(3) And traversing the request parameter list, judging whether the parameter value is in the white list, if so, passing, and if not, returning failure or filtering the high-risk label.
The method is characterized in that when the custom annotation is effective, the general steps are as follows:
(1) The initialization of the AOP section is controlled by judging whether the global effective configuration is false or not through SpringBoot annotation @ Condition OnProperty
(2) After receiving a user request, if the request method is in a configured request mode and the interface method is configured with a custom annotation, the AOP section logic is effective, and information such as the request method, the interface method name, the out-participation parameter and the like can be acquired:
(3) Judging whether all interface parameters are checked or specific parameters are checked according to the value of the custom annotation, if so, checking all the parameter values, traversing a request parameter list, judging whether the parameter values are in a white list, if so, passing, and if not, returning failure or filtering high-risk labels; if the parameter is a specific parameter, acquiring a corresponding parameter value through a request parameter list, performing white list verification on the parameter value, and returning a result.
Example two
On the basis of the first embodiment, as shown in fig. 1, the configuration center takes the nano as an example, when the system is initialized, firstly, long polling is used to acquire the configuration from the nano, and whether the global filter or the AOP section is instantiated is determined by judging whether the configuration is true or not, so that the @ Condition on Property annotation of the SpringBoot can be used to realize the functions. Firstly, adding @ conditional on property (value= "xss-control. Enabled", matrichifmixing=true) on a filter implementation class; and adding @ Condition OnProperty (value= "xss-control. Enabled", match IfMissing = false) on the AOP section, if the global effective configuration is set to true, instantiating the global filter by the configuration, and if the global effective configuration is set to false, instantiating the AOP section by the configuration, thereby achieving the effect of instantiating different functions according to the configuration by the system. Secondly, the Whitelist uses a Whitelist function provided by Jso, an addtools method provided by Whitelist is used for adding html Whitelist labels configured by a configuration center, an addtools method is used for adding label attributes, an addProtocols method is used for adding label permission protocols, the generated Whitelist is stored in a memory, and the Whitelist can be effectively used in the system operation process without restarting after configuration is modified by the configuration center, if labels or attributes are added or deleted, the Whitelist can be effectively used after modification by the configuration center is completed. And finally, putting the allowed request mode into a memory so as to be convenient for reading.
As shown in fig. 2, an overall architecture diagram for preventing xss attack on the system is provided.
As shown in fig. 3, a global interceptor workflow is shown in fig. 1, where the system has instantiated a global interceptor. When the system receives a user request, firstly judging whether the request mode is configured or not, and if not, directly releasing; if so, acquiring the parameter-parameter name key value pair of the request through the custom interceptor, circularly traversing the request list, comparing the acquired parameter value with the white list, if the data content rule continues to the next parameter value, and if not, reporting an error to the front end. The above process is repeated until all parameter values have been verified. For example: assuming that the request mode of the system configuration is POST, PUT, PATCH at this time, if the request source mode is GET, interception is not needed, and the system configuration is directly released; if the request mode is POST, acquiring the parameters of the request, and installing the steps to intercept and verify.
As shown in FIG. 4, a custom annotation workflow is shown in FIG. 1, where the system has instantiated an AOP facet. When the system receives a request of a user, judging whether the request interface is configured with a custom annotation or not, and if not, directly releasing the user annotation; if the value of the custom annotation is 'all', all the parameter values of the interface need to be traversed and compared with a white list, if the value of the custom annotation is a specific parameter name, the String split method English comma is needed to be used for the parameter name, a plurality of parameter names are converted into character String arrays from character strings, the arrays are traversed, the parameter values are taken and compared with the white list, if the content of the parameter values is legal, the wrong information is returned directly, and the process is repeated until all the parameter values or all the specified parameter values are traversed, and the process is finished.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (8)
1. A method for preventing xss attack based on custom annotations, characterized in that: the method comprises the following steps:
initializing configuration, wherein the required configuration is obtained from a configuration center;
the custom annotation supports checking all interface parameters or specified interface parameters;
initializing xss a tag white list, and acquiring required tag configuration from a configuration center;
when the global validity is configured as true, the global filter is effective, and when the global validity is configured as false, the custom annotation is effective.
2. A method of preventing xss attacks based on custom annotations as claimed in claim 1, wherein: the configuration required by the initialization configuration comprises whether the configuration is globally valid, an XSS label white list and an intercepted request mode, wherein the request mode is an http request mode.
3. A method of preventing xss attacks based on custom annotations as claimed in claim 1, wherein: the custom annotation can be configured on the interface, and the value is configured as 'all', namely all parameters of the check interface; and (3) configuring the value as a specific interface parameter name, acquiring a request parameter list in the httpServletRequest, acquiring a corresponding parameter value according to the configured parameter name, and checking.
4. A method of preventing xss attacks based on custom annotations as claimed in claim 1, wherein: xss tag whitelists include, but are not limited to, "a", "b", "br", "div" html tags, including, but not limited to, "style", "align", "width", "title" tag attributes, including, but not limited to "ftp", "http", "https" protocols.
5. A method of preventing xss attacks based on custom annotations as claimed in claim 1, wherein: when the global filter is effective, the filtering steps are as follows:
(1) Judging whether the global effective configuration is true control global filter initialization or not through SpringBoot annotation @ Condition OnProperty;
(2) After receiving a user request, if a request method is in a configured request mode, the global filter is effective, and information such as the request method, an interface method name, an out-of-participation parameter and the like is obtained;
(3) And traversing the request parameter list, judging whether the parameter value is in the white list, if so, passing, and if not, returning failure or filtering the high-risk label.
6. A method of preventing xss attacks based on custom annotations as claimed in claim 1, wherein: when the custom annotation is in effect, the steps are as follows:
(1) Judging whether the global effective configuration is false or not by the SpringBoot annotation @ Condition OnProperty to control the initialization of the AOP section;
(2) After receiving a user request, if a request method is in a configured request mode and a self-defined annotation is configured on an interface method, the AOP section logic is validated, and the request method, the interface method name and the out-of-participation parameter information are acquired;
(3) Judging whether all interface parameters are checked or specific parameters are checked according to the value of the custom annotation, if so, checking all the parameter values, traversing a request parameter list, judging whether the parameter values are in a white list, if so, passing, and if not, returning failure or filtering high-risk labels; if the parameter is a specific parameter, acquiring a corresponding parameter value through a request parameter list, performing white list verification on the parameter value, and returning a result.
7. A custom annotation based system for preventing xss attacks according to the custom annotation based method of preventing xss attacks of any one of claims 1-6, wherein: the system consists of a custom jar package, a global filter, a custom annotation, an AOP section, a xss label white list and custom configuration;
the custom jar packet mode is introduced, and XSS attack defense is realized through a global filter or custom annotation and AOP.
8. The custom annotation-based system for preventing xss attacks of claim 7, wherein: xss tag whitelists include, but are not limited to, open source whitelists using Jso, anti-Samy third parties.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311296008.2A CN117424723A (en) | 2023-10-09 | 2023-10-09 | Method and system for preventing xss attack based on custom annotation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311296008.2A CN117424723A (en) | 2023-10-09 | 2023-10-09 | Method and system for preventing xss attack based on custom annotation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117424723A true CN117424723A (en) | 2024-01-19 |
Family
ID=89531665
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311296008.2A Pending CN117424723A (en) | 2023-10-09 | 2023-10-09 | Method and system for preventing xss attack based on custom annotation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117424723A (en) |
-
2023
- 2023-10-09 CN CN202311296008.2A patent/CN117424723A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8615804B2 (en) | Complementary character encoding for preventing input injection in web applications | |
| US8800042B2 (en) | Secure web application development and execution environment | |
| US8646088B2 (en) | Runtime enforcement of security checks | |
| US9058489B2 (en) | Marking documents with executable text for processing by computing systems | |
| KR101672791B1 (en) | Method and system for detection of vulnerability on html5 mobile web application | |
| Nithya et al. | A survey on detection and prevention of cross-site scripting attack | |
| Shema | Hacking web apps: detecting and preventing web application security problems | |
| Stasinopoulos et al. | Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications | |
| CN113645234B (en) | Honeypot-based network defense method, system, medium and device | |
| Bach-Nutman | Understanding the top 10 owasp vulnerabilities | |
| Blome et al. | Vera: A flexible model-based vulnerability testing tool | |
| Dhariwal et al. | C-Queued Technique against SQL injection attack | |
| US20070130620A1 (en) | Method, computer arrangement, computer program and computer program product for checking for the presence of control statements in a data value | |
| US9405916B2 (en) | Automatic correction of security downgraders | |
| CN117424723A (en) | Method and system for preventing xss attack based on custom annotation | |
| Dwivedi et al. | Web application vulnerabilities: A survey | |
| Yu et al. | Trustworthy web services based on testing | |
| CN109688108A (en) | A kind of defence file uploads the security mechanism and its implementation method of loophole | |
| Sravanthi et al. | Detecting SQL injections from web applications | |
| Pelizzi | Securing Web Applications | |
| Nguyen et al. | An Improving Way For Website Security Assessment | |
| Sun et al. | Sqlprevent: Effective dynamic detection and prevention of sql injection attacks without access to the application source code | |
| Sahu et al. | Defensive Programming to Reduce PHP Vulnerabilities | |
| Jourdan | Data Validation, Data Neutralization, Data Footprint: A Framework Against Injection Attack | |
| Idowu et al. | WEB Applications and Services Security: On Preventing Language-Based Attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |