커스텀 XSS Filter를 통해서 URL로 들어오는 XSS 공격을 방지하는 방법입니다.
파라미터를 필터링하는 방법과 다른것은 request 된 URL을 바꾼뒤 다시 requestDispatcher를 통해 forward 해주어야 합니다.
package com.handler.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class XSSFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
String requestURI = ((HttpServletRequest) request).getRequestURI();
String newURI = cleanXSS(requestURI);
request.getRequestDispatcher(newURI).forward(request, response);
chain.doFilter(request, response);
}
private String cleanXSS(String value) {
value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
value = value.replaceAll("'", "& #39;");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
return value;
}
}
XSSFilter가 완성된 후에는 web.xml 에 추가해 줍니다.
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>com.handler.filter.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>