What is the XSS

XSS (Cross Site Scripting) is a common Web security vulnerability called XSS to avoid confusion with the word CSS(Cascading Style Sheets). It allows malicious code to be embedded in pages provided to other users.

XSS attack flow


Simple XSS attack example

  • If a form is not processed and the user submits malicious code, the browser executes the code.

The solution

XSS filtering description

  • XSS processing for the string type of the form binding.
  • XSS processing of JSON string data.
  • Provides routing and controller method level permit rules.

Use mica – XSS

Just introduce a dependency

<! --XSS security filter -->

  <dependency>

   <groupId>net.dreamlu</groupId>

   <artifactId>mica-core</artifactId>

   <version>2.0.9 - GA</version>

  </dependency>

  <dependency>

   <groupId>net.dreamlu</groupId>

   <artifactId>mica-xss</artifactId>

   <version>2.0.9 - GA</version>

  </dependency>

Copy the code

Test XSS filtering

Test GET parameter filtering

  • Create the target interface to simulate a GET commit
@GetMapping("/xss")

public String xss(String params){

  return params;

}

Copy the code
  • Returns null
⋊ > ~ curl, the location, request GET 'http://localhost:8080/xss? params=%3Cscript%3Ealert(%27xxx%27)%3C/script%3E'

Copy the code

Test POST Form parameter filtering

  • Create the target interface to simulate a POST Form submission
@PostMapping("/xss")

public String xss(String params){

  return params;

}

Copy the code
  • Returns null
curl --location --request POST 'http://localhost:8080/xss' \

--header 'Content-Type: application/x-www-form-urlencoded' \

--data-urlencode 'params=<script>alert('\''xxx'\'')</script>'

Copy the code

Test POST Body parameter filtering

  • Create the target interface to simulate a POST Body submission
    @PostMapping("/xss")

    public String xss(@RequestBody Map<String,String> body){

        return body.get("params");

    }

Copy the code
  • Returns null
curl --location --request POST 'http://localhost:8080/xss' \

--header 'Content-Type: application/json' \

--data-raw '{

    "params":"<script>alert('\''XXX'\'')</script>"

} '

Copy the code

Skip some interface filtering

Method and class levels can be ignored using the @xsscleanignore annotation.

@XssCleanIgnore

@PostMapping("/xss")

public String xss(@RequestBody Map<String,String> body){

  return body.get("params");

}

Copy the code

The principle of analysis

Common implementation profiles

  • At present, most schemes on the Internet are shown in the following figure. XssFilter is added to intercept parameters submitted by users, perform related escape and blacklist exclusion, and complete relevant service logic. At the heart of the process is the creation of a new RequestWrapper that wraps the user’s original request and ensures that the request flow can be read repeatedly in subsequent processes.

Mica – XSS implementation

1. Custom WebDataBinder editor supports form filtering

The Spring WebDataBinder is used to bind the parameters in the Web request to the corresponding Javabeans from the Web Request. The parameter type in the Controller method can be the basic type. It can also be a plain Java type wrapped. If this normal Java type does not declare any annotations, it means that each of its attributes needs to look up the Request parameters in the Request, and WebDataBinder can help us pull the Request parameters out of the Request and bind them to the JavaBean.

SpringMVC provides a user – defined interface to edit bindings during binding. Injection can perform filtering during parameter binding JavaBean.


2. User-defined JsonDeserializer deserialization supports Json filtering

In Spring Boot, Jackson is used to serialize and deserialize JSON data by default. In addition to the default, we can also write our own JsonSerializer and JsonDeserializer classes for custom operations. JSON packets submitted by users are bound to the JavaBean using The JsonDeserializer for Jackson. We only need to customize JsonDeserializer to perform filtering in the bound JavaBean.


  1. Core filtering logic

    In MICA-XSS, we did not adopt the implementation scheme of handwritten blacklist or escape as mentioned above, but directly implemented the Jsoup tool class.

    Jsoup implements the WHATWG HTML5 specification and parses HTML into the DOM as it is in modern browsers.

    • Scrape and parse HTML from URLS, files, or strings
    • Find and extract data using DOM traversal or CSS selectors
    • Manipulate HTML elements, attributes, and text
    • Clear user-submitted content to prevent security whitelists to prevent XSS attacks
    • Output clean HTML

Source code address:

  • Github.com/pig-mesh/pi…

  • Github.com/lets-mica/m…