Prevent Cross-Site Scripting (XSS) in a Spring Application – 防止Spring应用程序中的跨站脚本(XSS)

最后修改: 2021年 2月 12日

中文/混合/英文(键盘快捷键:t)

1. Overview

1.概述

When building a Spring web application, it’s important to focus on security. Cross-site scripting (XSS) is one of the most critical attacks on web security.

在构建Spring网络应用程序时,关注安全性是很重要的。跨站脚本(XSS)是对Web安全最关键的攻击之一。

Preventing the XSS attack is a challenge in a Spring application. Spring provides built-in help for complete protection.

在Spring应用程序中,防止XSS攻击是一个挑战。Spring提供了内置的帮助以实现完整的保护。

In this tutorial, we’ll use the available Spring Security features.

在本教程中,我们将使用现有的Spring Security功能。

2. What Is a Cross-Site Scripting (XSS) Attack?

2.什么是跨站脚本(XSS)攻击?

2.1. Definition of the Problem

2.1.问题的定义

XSS is a common type of injection attack. In XSS, the attacker tries to execute malicious code in a web application. They interact with it through a web browser or HTTP client tools like Postman.

XSS是一种常见的注入攻击类型。在XSS中,攻击者试图在一个Web应用程序中执行恶意代码。他们通过网络浏览器或HTTP客户端工具(如Postman)与之交互。

There are two types of XSS attacks:

有两种类型的XSS攻击。

  • Reflected or Nonpersistent XSS
  • Stored or Persistent XSS

In Reflected or Nonpersistent XSS, untrusted user data is submitted to a web application, which is immediately returned in the response, adding untrustworthy content to the page. The web browser assumes the code came from the web server and executes it. This might allow a hacker to send you a link that, when followed, causes your browser to retrieve your private data from a site you use and then make your browser forward it to the hacker’s server.

在反射式或非持久性XSS中,不受信任的用户数据被提交给网络应用程序,并立即在响应中返回,在页面中加入不值得信任的内容。网络浏览器假定该代码来自网络服务器并执行它。这可能允许黑客向你发送一个链接,当遵循这个链接时,导致你的浏览器从你使用的网站上检索你的私人数据,然后使你的浏览器转发到黑客的服务器。

In Stored or Persistent XSS, the attacker’s input is stored by the webserver. Subsequently, any future visitors may execute that malicious code.

在存储或持久性XSS中,攻击者的输入被网络服务器存储。随后,任何未来的访问者都可能执行该恶意代码。

2.2. Defending Against the Attack

2.2.防御攻击

The main strategy for preventing XSS attacks is to clean user input.

防止XSS攻击的主要策略是清理用户输入。

In a Spring web application, the user’s input is an HTTP request. To prevent the attack, we should check the HTTP request’s content and remove anything that might be executable by the server or in the browser.

在Spring网络应用中,用户的输入是一个HTTP请求。为了防止攻击,我们应该检查HTTP请求的内容,删除任何可能由服务器或浏览器执行的内容。

For a regular web application, accessed through a web browser, we can use Spring Security‘s built-in features (Reflected XSS).

对于通过Web浏览器访问的普通Web应用程序,我们可以使用Spring Security的内置功能(Reflected XSS)。

3. Making an Application XSS Safe with Spring Security

3.用Spring Security使应用程序的XSS安全

Spring Security provides several security headers by default. It includes the X-XSS-Protection header. X-XSS-Protection tells the browser to block what looks like XSS. Spring Security can automatically add this security header to the response. To activate this, we configure the XSS support in the Spring Security configuration class.

Spring Security默认提供了几个安全标头。它包括X-XSS-Protection头。X-XSS-Protection告诉浏览器要阻止看起来像XSS的东西。Spring Security可以自动将这个安全标头添加到响应中。为了激活这一点,我们在Spring Security的配置类中配置XSS支持。

Using this feature, the browser does not render when it detects an XSS attempt. However, some web browsers haven’t implemented the XSS auditor. In this case, they don’t make use of the X-XSS-Protection header. To overcome this issue, we can also use the Content Security Policy (CSP) feature.

使用这一功能,浏览器在检测到XSS企图时就不会渲染。然而,一些网络浏览器还没有实施XSS审计器。在这种情况下,他们没有利用X-XSS-Protection为了克服这个问题,我们也可以使用内容安全策略(CSP)功能。

The CSP is an added layer of security that helps mitigate XSS and data injection attacks. To enable it, we need to configure our application to return a Content-Security-Policy header by providing a SecurityFilterChain bean:

CSP是一个额外的安全层,有助于缓解XSS和数据注入攻击。为了启用它,我们需要通过提供一个SecurityFilterChainbean来配置我们的应用程序以返回Content-Security-Policy头。

@Configuration
public class SecurityConf {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.headers()
            .xssProtection()
            .and()
            .contentSecurityPolicy("script-src 'self'");
        return http.build();
    }
}

4. Conclusion

4.总结

In this article, we saw how to prevent XSS attacks by using Spring Security’s xssProtection feature.

在这篇文章中,我们看到了如何通过使用Spring Security的xssProtection功能来防止XSS攻击。

As always, the source code can be found over on GitHub.

一如既往,源代码可以在GitHub上找到over