[Spring] 사용자 정의 필터 생성(filter)

web.xml 에 사용자 정의 필터 삽입

참고 URL : https://jwchoi85.tistory.com/54  
		https://m.blog.naver.com/PostView.nhn?blogId=tyboss&logNo=70048135045&proxyReferer=https%3A%2F%2Fwww.google.com%2F  
		https://m.blog.naver.com/PostView.nhn?blogId=weekamp&logNo=220458872665&proxyReferer=https%3A%2F%2Fwww.google.com%2F  
  
		* 필터 설명  
		https://jun-itworld.tistory.com/28  
  
		* 필터 순서  
		https://dololak.tistory.com/599  

XSS 필터 작성
##################################################################################################################

## 사용자 정의 필터 작성  
  
	사용자 정의 필터를 만들때는 Filter 를 구현해야 함  
	init , doFilter, destroy 세개를 작성해야 함  
	init 에서 사용하는 Request 와 Response 의 경우에는 servletRequest, ServletResponse 임 (HttpServletRequest 가 아님)  
  
	필터 파일에서 chain.doFilter() 에 매게변수로 넣어주는 값중 첫번째는 직접 구현해서 만든 필터파일이며, HttpServletRequestWrapper 클래스를 상속받아서 구현하되, 넘겨주는 변수타입은  
	HttpServletRequest 임  
  
	두번째 매게변수로는 ServletResponse 를 넣어주면 됨  
  
	아래의 메소드들을 구현하면 됨  
	public String[] getParameterValues(String parameter) {}  
	public String getParameter(String parameter) {}  
	public String getHeader(String name) {}  
  
	## XSS 필터로 사용할 자바파일 작성  
  
	=================================================================================================================  
  
	package securus.common.util;  
  
	import java.io.IOException;  
  
	import javax.servlet.Filter;  
	import javax.servlet.FilterChain;  
	import javax.servlet.FilterConfig;  
	import javax.servlet.ServletException;  
	import javax.servlet.ServletRequest;  
	import javax.servlet.ServletResponse;  
	import javax.servlet.http.HttpServletRequest;  
  
	public class FilterTest implements Filter {  
  
		public FilterConfig filterConfig;  
  
		public void init(FilterConfig filterConfig) throws ServletException {  
			this.filterConfig = filterConfig;  
		}  
  
		public void destroy() {  
			this.filterConfig = null;  
		}  
  
		public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)  
				throws IOException, ServletException {  
  
			chain.doFilter(new XssFilter((HttpServletRequest) request), response);  
  
		}  
	}  
  
	=================================================================================================================  
  
	## XSS 필터를 작성  
  
	=================================================================================================================  
  
	package securus.common.util;  
  
	import javax.servlet.http.HttpServletRequest;  
	import javax.servlet.http.HttpServletRequestWrapper;  
  
	public final class XssFilter extends HttpServletRequestWrapper {  
  
		public XssFilter(HttpServletRequest servletRequest) {  
			super(servletRequest);  
		}  
  
		public String[] getParameterValues(String parameter) {  
  
			String[] values = super.getParameterValues(parameter);  
			if (values==null)  {  
				return null;  
			}  
			int count = values.length;  
			String[] encodedValues = new String[count];  
			for (int i = 0; i < count; i++) {  
				encodedValues[i] = cleanXSS(values[i]);  
			}  
  
			return encodedValues;  
		}  
  
		public String getParameter(String parameter) {  
  
			String value = super.getParameter(parameter);  
			if (value == null) {  
				return null;  
			}  
			return cleanXSS(value);  
		}  
  
		public String getHeader(String name) {  
  
			String value = super.getHeader(name);  
			if (value == null)  
				return null;  
			return cleanXSS(value);  
  
		}  
  
		private String cleanXSS(String value) {  
			//You'll need to remove the spaces from the html entities below  
			value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");  
			value = value.replaceAll("₩₩(", "& ##40;").replaceAll("₩₩)", "& #41;");  
			value = value.replaceAll("'", "& ##39;");  
			value = value.replaceAll("eval₩₩((.*)₩₩)", "");  
			value = value.replaceAll("[₩₩₩"₩₩₩'][₩₩s]*javascript:(.*)[₩₩₩"₩₩₩']", "₩"₩"");  
			value = value.replaceAll("script", "");  
			return value;  
		}  
	}  
  
	=================================================================================================================  

##################################################################################################################

CilckJackFilter 필터 작성
##################################################################################################################

## 클릭재킹 취약점에서 사용할 필터를 작성  
=================================================================================================================  
import javax.servlet.*;  
import javax.servlet.http.HttpServletResponse;  
import java.io.IOException;  
  
/**  
 * Created by kimsc on 2019-02-20.  
 */  
public class ClickjackFilter implements Filter{  
  
/*    private String mode = "SAMEORIGIN";*/  
/*    private String mode = "DENY";*/  
	private String mode = "ALLOW-FROM";  
	/**  
	 * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who  
	 * decide to implement) not to display this content in a frame. For details, please  
	 * refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.  
	 */  
	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {  
		HttpServletResponse res = (HttpServletResponse)response;  
		res.setHeader("Access-Control-Allow-Origin", "http://localhost:9080");  
		res.addHeader("X-FRAME-OPTIONS","ALLOW-FROM http://localhost:8080");  
		res.setHeader("Access-Control-Allow-Methods", "POST, GET");  
		res.setHeader("Access-Control-Max-Age", "3600");  
		res.setHeader("Access-Control-Allow-Headers", "x-requested-with, origin, content-type, accept");  
		//ClickJacking  
		res.addHeader("X-FRAME-OPTIONS", mode );  
		chain.doFilter(request, response);  
	}  
  
	public void destroy() {  
	}  
  
	public void init(FilterConfig filterConfig) {  
		String configMode = filterConfig.getInitParameter("mode");  
		if ( configMode != null ) {  
			mode = configMode;  
		}  
	}  
}  
=================================================================================================================  

##################################################################################################################

web.xml 에 필터 등록

* 필터는 web.xml 에 기재해논 순서대로 작동함 위에서 부터 아래로 <filer-mapping> 의 순서대로 진행하게 되어있음  
  
=================================================================================================================  
  
<!-- XSS Filter Start-->  
<filter>  
	<filter-name>FilterTest</filter-name>  
	<filter-class>securus.common.util.FilterTest</filter-class>  
</filter>  
<filter-mapping>  
	<filter-name>FilterTest</filter-name>  
	<url-pattern>/*</url-pattern>  
</filter-mapping>  
  
<!-- Clickjacking Start-- -->  
<filter>  
    <filter-name>ClickjackFilterSameOrigin</filter-name>  
    <filter-class>securus.filter.ClickjackFilter</filter-class>  
    <init-param>  
        <param-name>mode</param-name>  
        <param-value>ALLOW-FROM</param-value>  
    </init-param>  
</filter>  
<filter-mapping>  
    <filter-name>ClickjackFilterSameOrigin</filter-name>  
    <url-pattern>*.do</url-pattern>  
</filter-mapping>  
<!-- Clickjacking End -->  

=================================================================================================================

← Previous Post Next Post →

[Spring] 사용자 정의 필터 생성(filter)

ASP (5)

Chat_GPT (2)

Cloud (11)

DB (15)

Docker (13)

ELK (15)

EffectiveJava (17)

Git (23)

IDE (12)

JAVA_Spring (57)

JPA (42)

JPA-usage (12)

JSP_javascript (28)

Jenkins (19)

Keycloak (21)

MSA (1)

Nginx (1)

Opentelemetry (1)

PHP (1)

Python (3)

Redis (5)

SpringBoot (85)

Vue (17)

linux (16)

tomcat (10)

windows (1)

개발지식 (9)

주식가격파싱시스템개발 (1)

캠핑장예약확인프로그램개발 (4)

코딩테스트 (38)

web.xml 에 사용자 정의 필터 삽입

web.xml 에 필터 등록