1.互聯(lián)網(wǎng)Api接口到底如何保證安全性問題？2.代碼落地實戰(zhàn)防御XSS、CSRF攻擊3.代碼落地如何防御接口數(shù)據(jù)被黑客抓包篡改？4.接口數(shù)據(jù)加密對稱還是非對稱加密好

安全架構(gòu)設(shè)計方案

如何防御xss攻擊

XSS攻擊通常指的是通過利用網(wǎng)頁開發(fā)時留下的漏洞，通過巧妙的方法注入惡意指令代碼到網(wǎng)頁，使用戶加載并執(zhí)行攻擊者惡意制造的網(wǎng)頁程序。這些惡意網(wǎng)頁程序通常是JavaScript，但實際上也可以包括Java、 VBScript、ActiveX、 Flash 或者甚至是普通的HTML。攻擊成功后，攻擊者可能得到包括但不限于更高的權(quán)限（如執(zhí)行一些操作）、私密網(wǎng)頁內(nèi)容、會話和cookie等各種內(nèi)容。 [1]

腳本攻擊：利用JavaScript 注入 到后臺數(shù)據(jù)庫中，在通過展示數(shù)據(jù)加載該腳本 該腳本中（

1.使用js獲取cookie信息（jwt）

2.將該jwt數(shù)據(jù) 上傳黑客服務(wù)器（ajax）

）

獲取jwt—用戶會話信息 讓后模擬請求形式使用該jwt登錄。

xss攻擊典型網(wǎng)站：論壇、評論區(qū)

http://127.0.0.1:8080/getUserInfo?userName=

http://127.0.0.1:8080/getUserInfo?userName=

模擬xss攻擊

前端傳遞 js 腳本到服務(wù)器端

{ “channel”: “”, “equipment”: “”, “password”: “123456”, “phoneNumber”: “15921009758”}

后端接口將該腳本存放數(shù)據(jù)庫中

package com.mayikt.main.api.impl;import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;import com.mayikt.common.core.api.BaseApiService;import com.mayikt.common.core.api.BaseResponse;import com.mayikt.main.api.UserLoginLogService;import com.mayikt.main.api.dto.res.UserLoginLogResDto;import com.mayikt.main.api.impl.entity.SysUserLoginLog;import com.mayikt.main.api.impl.mapper.SysUserLoginLogMapper;import org.springframework.beans.BeanUtils;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.stereotype.Service;import org.springframework.web.bind.annotation.CrossOrigin;import org.springframework.web.bind.annotation.RestController;import java.util.ArrayList;import java.util.List;/** * @ClassName UserLoginLogImpl */@RestController@CrossOriginpublic class UserLoginLogImpl extends BaseApiService implements UserLoginLogService { @Autowired private SysUserLoginLogMapper sysUserLoginLogMapper; @Override public BaseResponse getUserLoginLog() { // 模擬查詢登錄的日志記錄 List sysUserLoginLogs = sysUserLoginLogMapper.selectList(new QueryWrapper()); List userLoginLogResDtos = new ArrayList(); for (int i = 0; i < sysUserLoginLogs.size(); i++) { UserLoginLogResDto userLoginLogResDto = new UserLoginLogResDto(); BeanUtils.copyProperties(sysUserLoginLogs.get(i), userLoginLogResDto); userLoginLogResDtos.add(userLoginLogResDto); } return setResultSuccessData(userLoginLogResDtos); }}package com.mayikt.main.api;import com.mayikt.common.core.api.BaseResponse;import com.mayikt.main.api.dto.res.UserLoginLogResDto;import org.springframework.web.bind.annotation.GetMapping;import java.util.List;/** * @ClassName UserLoginLogService */public interface UserLoginLogService { @GetMapping("/getUserLoginLog") BaseResponse getUserLoginLog();}

前端html

xss模擬攻擊

防御xss

方式1

將用戶前端所提交的參數(shù)進行過濾。

html 大于> 小于號 <

String equipment = loginUserReqDto.getEquipment(); loginUserReqDto.setEquipment(StringUtils.isEmpty(equipment) ? null : StringEscapeUtils.escapeHtml(equipment)); SysUserLoginLog sysUserLoginLog = new SysUserLoginLog(sysUser.getId(), IPUtils.getIpAddr(request), new Date(), token, loginUserReqDto.getChannel(), loginUserReqDto.getEquipment());

該方式的缺陷：每個參數(shù)都需要像這樣寫 代碼非常冗余

String str = “”; String s = StringEscapeUtils.escapeHtml(str); System.out.println(s);

方式2

接口接受參數(shù) ？傳遞參數(shù)形式—

傳遞參數(shù)都是json數(shù)據(jù)形式

spring mvc 接受 json數(shù)據(jù)提供 api回調(diào)

package com.mayikt.main.security;import com.fasterxml.jackson.core.JsonParser;import com.fasterxml.jackson.core.JsonProcessingException;import com.fasterxml.jackson.databind.DeserializationContext;import com.fasterxml.jackson.databind.JsonDeserializer;import com.fasterxml.jackson.databind.ObjectMapper;import com.fasterxml.jackson.databind.module.SimpleModule;import com.google.common.net.MediaType;import org.apache.commons.lang.StringEscapeUtils;import org.apache.commons.lang.StringUtils;import org.springframework.context.annotation.Configuration;import org.springframework.http.converter.HttpMessageConverter;import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;import org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport;import java.io.IOException;import java.util.ArrayList;import java.util.List;import java.util.ListIterator;/** * 解決post 請求傳遞json數(shù)據(jù) 防御xss攻擊 */@Configurationpublic class WebMvcConfig extends WebMvcConfigurationSupport { @Override public void addResourceHandlers(ResourceHandlerRegistry registry) { registry.addResourceHandler(“swagger-ui.html”) .addResourceLocations(“classpath:/META-INF/resources/”); registry.addResourceHandler(“/webjars/**”) .addResourceLocations(“classpath:/META-INF/resources/webjars/”); } @Override protected void extendMessageConverters(List messageConverters) { /** * 替換默認的MappingJackson2HttpMessageConverter，過濾(json請求參數(shù))xss */ ListIterator listIterator = messageConverters.listIterator(); while (listIterator.hasNext()) { HttpMessageConverter next = listIterator.next(); if (next instanceof MappingJackson2HttpMessageConverter) { listIterator.remove(); break; } } messageConverters.add(getMappingJackson2HttpMessageConverter()); } public MappingJackson2HttpMessageConverter getMappingJackson2HttpMessageConverter() { // 創(chuàng)建自定義ObjectMapper SimpleModule module = new SimpleModule(); module.addDeserializer(String.class, new JsonHtmlXssDeserializer(String.class)); ObjectMapper objectMapper = Jackson2ObjectMapperBuilder.json().applicationContext(this.getApplicationContext()).build(); objectMapper.registerModule(module); // 創(chuàng)建自定義消息轉(zhuǎn)換器 MappingJackson2HttpMessageConverter mappingJackson2HttpMessageConverter = new MappingJackson2HttpMessageConverter(); mappingJackson2HttpMessageConverter.setObjectMapper(objectMapper); return mappingJackson2HttpMessageConverter; }}/** * 對入?yún)⒌膉son進行轉(zhuǎn)義 */class JsonHtmlXssDeserializer extends JsonDeserializer { public JsonHtmlXssDeserializer(Class string) { super(); } @Override public Class handledType() { return String.class; } @Override public String deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException, JsonProcessingException { String value = jsonParser.getValueAsString(); if (!StringUtils.isEmpty(value)) { return StringEscapeUtils.escapeHtml(value); } return value; }}

抓包如何防止篡改數(shù)據(jù)

Fiddler抓包工具的使用

1.可以使用第三方抓包工具，對請求前后實現(xiàn)代理，可以修改參數(shù)請求內(nèi)容和參數(shù)響應(yīng)內(nèi)容,抓包工具http調(diào)試工具

2.Fiddler4下載地址：https://pc.qq.com/detail/10/detail_3330.html

使用Fiddler4篡改請求之前：

防御篡改數(shù)據(jù)

使用MD5可以直接驗證簽名參數(shù) MD5 屬于單向加密，只能夠暴力破解。

MD5應(yīng)用場景 在nacos分布式配置中心中，使用MD5 比對文件內(nèi)容是否發(fā)生改變

HasherPro比對文件內(nèi)容是否發(fā)生改變。

MD5在線暴力破解地址：https://www.cmd5.com/

String userName=”123456″;System.out.println( DigestUtils.md5Hex(userName));

黑客如何破解？自己需要根據(jù)參數(shù)內(nèi)容 生成簽名

如果只是改了參數(shù)內(nèi)容—沒有用的 所以我們需要該簽名

{“password”:”123456″,”phoneNumber”:”phoneNumber”,”channel”:”安卓”,”equipment”:””}

{sign=325ab041d4889825a46d1e1e802ab5de, timestamp=1652537015771}

package com.mayikt.main.security;import com.alibaba.fastjson.JSONObject;import com.alibaba.fastjson.JSONPObject;import org.apache.commons.codec.digest.DigestUtils;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import java.io.UnsupportedEncodingException;import java.net.URLEncoder;import java.util.*;/** * 參數(shù)驗證簽名 */public class SignUtil { private static Logger logger = LoggerFactory.getLogger(SignUtil.class); /** * 加密密鑰 */ private final static String APP_KEY = “mykey123456”; public final static String SECRET_KEY = “mysecret123456”; /** * 字符編碼 */ private final static String INPUT_CHARSET = “UTF-8”; /** * 超時時間 */ private final static int TIME_OUT = 30 * 60 * 1000; /** * 請求參數(shù)Map轉(zhuǎn)換驗證Map * * @param requestParams 請求參數(shù)Map * @param charset 是否要轉(zhuǎn)utf8編碼 * @return * @throws UnsupportedEncodingException */ public static Map toVerifyMap(Map requestParams, boolean charset) { Map params = new HashMap(); for (Iterator iter = requestParams.keySet().iterator(); iter.hasNext(); ) { String name = (String) iter.next(); String[] values = requestParams.get(name); String valueStr = “”; for (int i = 0; i < values.length; i++) { valueStr = (i == values.length – 1) ? valueStr + values[i] : valueStr + values[i] + ","; } // 亂碼解決，這段代碼在出現(xiàn)亂碼時使用。如果mysign和sign不相等也可以使用這段代碼轉(zhuǎn)化 if (charset) valueStr = getContentString(valueStr, INPUT_CHARSET); params.put(name, valueStr); } return params; } /** * 除去數(shù)組中的空值和簽名參數(shù) * * @param sArray 簽名參數(shù)組 * @return 去掉空值與簽名參數(shù)后的新簽名參數(shù)組 */ public static Map paraFilter(Map sArray) { Map result = new HashMap(); if (sArray == null || sArray.size() <= 0) { return result; } for (String key : sArray.keySet()) { String value = sArray.get(key); if (value == null || value.equals("") || key.equalsIgnoreCase("sign")) { continue; } result.put(key, value); } return result; } /** * 把數(shù)組所有元素排序，并按照“參數(shù)=參數(shù)值”的模式用“&”字符拼接成字符串 * * @param params 需要排序并參與字符拼接的參數(shù)組 * @return 拼接后字符串 */ public static String createLinkString(Map params) { return createLinkString(params, false); } /** * 把數(shù)組所有元素排序，并按照“參數(shù)=參數(shù)值”的模式用“&”字符拼接成字符串 * * @param params 需要排序并參與字符拼接的參數(shù)組 * @param encode 是否需要UrlEncode * @return 拼接后字符串 */ public static String createLinkString(Map params, boolean encode) { List keys = new ArrayList(params.keySet()); Collections.sort(keys); String prestr = ""; for (int i = 0; i TIME_OUT) { logger.info(“api is time out”); return false; } return true; } else { return false; } } public static void main(String[] args) { JSONObject jsonObject = new JSONObject(); jsonObject.put(“channel”, “ios”); jsonObject.put(“equipment”, “alert(‘mayikt’)”); jsonObject.put(“password”, “123456”); jsonObject.put(“phoneNumber”, “phoneNumber”); String json = jsonObject.toJSONString(); System.out.println(json); Map stringStringMap = signJson(json); System.out.println(stringStringMap); }}package com.mayikt.main.security;import com.alibaba.fastjson.JSONObject;import lombok.extern.slf4j.Slf4j;import org.springframework.stereotype.Component;import javax.servlet.*;import javax.servlet.annotation.WebFilter;import javax.servlet.http.HttpServletRequest;import java.io.IOException;import java.io.PrintWriter;@Component@WebFilter()@Slf4jpublic class SignFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // 攔截請求,驗證json數(shù)據(jù) 簽名 RequestWrapper requestWrapper = new RequestWrapper((HttpServletRequest) request); String json = requestWrapper.getBody(); // 驗證token HttpServletRequest req = (HttpServletRequest) request; String sign = req.getHeader(“sign”); String timestamp = req.getHeader(“timestamp”); boolean result = SignUtil.verifyJson(json, sign, timestamp); if (!result) { PrintWriter writer = response.getWriter(); JSONObject data = new JSONObject(); data.put(“code”, “500”); data.put(“msg”, “驗證簽名失敗”); writer.println(data.toJSONString()); writer.close(); return; } chain.doFilter(requestWrapper, response); } @Override public void destroy() { }}package com.mayikt.main.security;import lombok.extern.slf4j.Slf4j;import javax.servlet.ReadListener;import javax.servlet.ServletInputStream;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;import java.io.BufferedReader;import java.io.ByteArrayInputStream;import java.io.IOException;import java.io.InputStreamReader;@Slf4jpublic class RequestWrapper extends HttpServletRequestWrapper { private final String body; // 報文 public RequestWrapper(HttpServletRequest request) throws IOException { super(request); BufferedReader streamReader = new BufferedReader( new InputStreamReader(request.getInputStream(), “UTF-8”)); StringBuilder responseStrBuilder = new StringBuilder(); String inputStr; while ((inputStr = streamReader.readLine()) != null) { responseStrBuilder.append(inputStr); } body = responseStrBuilder.toString(); log.info(“body:{}”, body); } public String getBody() { return body; } @Override public BufferedReader getReader() throws IOException { return new BufferedReader(new InputStreamReader(getInputStream())); } @Override public ServletInputStream getInputStream() throws IOException { final ByteArrayInputStream bais = new ByteArrayInputStream(body.getBytes(“utf-8”)); return new ServletInputStream() { @Override public boolean isFinished() { return false; } @Override public boolean isReady() { return false; } @Override public void setReadListener(ReadListener readListener) { } @Override public int read() throws IOException { return bais.read(); } }; }}

相關(guān)代碼

m5.rar