跨站点请求伪造-SpringBoot配置CSRF过滤器
1. 跨站点请求伪造
风险:可能会窃取或操纵客户会话和 cookie,它们可能⽤于模仿合法⽤户,从⽽使⿊客能够以该⽤户⾝份查看或变更⽤户记录以及执⾏事务。
原因:应⽤程序使⽤的认证⽅法不充分。
固定值:验证“Referer”头的值,并对每个提交的表单使⽤ one-time-nonce。
2. l添加依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
3. 配置⽂件添加配置
# 信息安全
security:
csrf:
enable: true
spring framework rce漏洞复现excludes:
4. 添加CSRF过滤器
import java.io.IOException;
import java.util.List;
import Matcher;
import Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import org.t.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
slf4j.Slf4j;
/
**
* CSRF过滤器
*
* @author CL
*
*/
@Slf4j
@Component
@ConfigurationProperties(prefix = "security.csrf")
@WebFilter(filterName = "CsrfFilter", urlPatterns = "/*")
public class CsrfFilter implements Filter {
/
**
* 过滤器配置对象
*/
FilterConfig filterConfig = null;
/**
* 是否启⽤
*/
private boolean enable;
public void setEnable(boolean enable) {
}
/
**
* 忽略的URL
*/
private List<String> excludes;
public void setExcludes(List<String> excludes) {
}
/**
* 初始化
*/
@Override
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
/**
* 拦截
*/
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
// 不启⽤或者已忽略的URL不拦截
if (!enable || ServletPath())) {
filterChain.doFilter(servletRequest, servletResponse);
return;
}
String referer = Header("Referer");
String serverName = ServerName();
// 判断是否存在外链请求本站
if (null != referer && referer.indexOf(serverName) < 0) {
<("CSRF过滤器 => 服务器:{} => 当前域名:{}", serverName, referer);
servletResponse.setContentType("text/html; charset=utf-8");
} else {
filterChain.doFilter(servletRequest, servletResponse);
}
}
/**
* 销毁
*/
@Override
public void destroy() {
this.filterConfig = null;
}
/**
* 判断是否为忽略的URL
*
* @param urlPath URL路径
* @return true-忽略,false-过滤
*/
private boolean isExcludeUrl(String url) {
if (excludes == null || excludes.isEmpty()) {
return false;
}
return excludes.stream().map(pattern -> Patternpile("^" + pattern)).map(p -> p.matcher(url))
.anyMatch(Matcher::find);
}
}
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论