漏洞两种情况
1.直接用request.getParameter(“参数”);去获取值 然后直接用println()输出
2.用request.setAttribute输出
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>XSS Vulnerable</title> </head> <body> <form action="index.jsp" method="post"> Enter your name: <input type="text" name="name"><input type="submit"> </form> <% if(request.getMethod().equalsIgnoreCase("post")) { String name = request.getParameter("name"); if(!name.isEmpty()) { out.println("<br>Hi "+name+". How are you?"); } } %> </body> </html>
防御方法
①引入框架的filter(即引用框架的全局过滤去处理)
②自己写定义编码转换
import org.apache.commons.lang.StringUtils; private String htmlEncode(String content) { content = StringUtils.replace(content, "&", "&"); content = StringUtils.replace(content, "<", "<"); content = StringUtils.replace(content, ">", ">"); content = StringUtils.replace(content, "\"", """); content = StringUtils.replace(content, "'", "'"); content = StringUtils.replace(content, "/", "/"); return content; }