appscan扫描出sql注入
最近项目进行安全测试,用appscan扫描出sql注入,发现在参数后拼入%uFF07这类字符后,过滤器request.getParameterNames()就会有异常(但是捕获不到这个异常),并且自动把带%uFF07的参数key和value自动忽略,也就检测不到有sql注入了,,,这样有个解决方法是可以在过滤器中用request.getInputStream()来获取IO流,即可检测到%,,,但是又有一个问题:getParameterNames()和getInputStream()又不能共存使用,在过滤器中若用getInputStream(),则项目其他地方request.getParameter就会有问题,所以谁有好的办法呢???
就是图片中这样,过滤器request.getParameterName()就获取不到"value"属性和对应的值
先问几个问题,你这个是POST方法嘛?后端用到了什么框架没有?比如springmvc
通过跟踪tomcat的日志,应该是在调用org.apache.tomcat.util.http.Parameters的processParameters方法时出现了异常。
以下是tomcat的日志:
org.apache.tomcat.util.http.Parameters processParameters
信息: Character decoding failed. Parameter [value] with value [1234%uFF07] has been ignored. Note that the name and value quoted here may be corrupted due to the failed decoding. Use debug level logging to see the original, non-corrupted values.
1.如果缺失了value的值,这句sql执行的时候返回了500,应该在执行数据库操作之前对参数进行校验。具体的校验方法,你可以看看下面的文章。
https://jinnianshilongnian.iteye.com/blog/1733708
- 至于防止sql注入攻击,不能采用拼接sql的方式来编写sql.
public class RequestWrapper extends HttpServletRequestWrapper {
HttpServletRequest orgRequest = null;
public RequestWrapper(HttpServletRequest request) {
super(request);
orgRequest = request;
}
@Override
public Map<String,String[]> getParameterMap() {
Map<String,String[]> map = new LinkedHashMap();
Map<String,String[]> parameters = super.getParameterMap();
for (String key : parameters.keySet()) {
System.out.println("getParameterMap---------得到的key:" + key);
String[] values = parameters.get(key);
for (int i = 0; i < values.length; i++) {
values[i] = XssClean.xssClean(values[i]);
}
map.put(key, values);
}
return map;
}
@Override
public Enumeration<String> getParameterNames() {
Enumeration enumeration = super.getParameterNames();
String attributeName = "";
while (enumeration.hasMoreElements()) {
attributeName = (String) enumeration.nextElement();
getParameterValues(attributeName);
}
return enumeration;
}
@Override
public String[] getParameterValues(String paramString){
String[] arrayOfString1 = super.getParameterValues(paramString);
if (arrayOfString1 == null) {
return null;
}
int i = arrayOfString1.length;
String[] arrayOfString2 = new String[i];
for (int j = 0; j < i; j++) {
System.out.println("getParameterValues---------得到的key:" + arrayOfString1[j]);
arrayOfString2[j] =XssClean.xssClean(arrayOfString1[j]);
}
return arrayOfString2;
}
@Override
public String getParameter(String paramString){
String str = super.getParameter(paramString);
if (str == null) {
return null;
}
return XssClean.xssClean(str);
}
public String getHeader(String paramString) {
String str = super.getHeader(paramString);
if (str == null)
return null;
return XssClean.xssClean(str);
}
public String getQueryString() {
String value = super.getQueryString();
if (value != null) {
value = XssClean.xssClean(value);
}
return value;
}
还是运行上面那个有问题的sql注入的请求,输出依旧没有“value”
getParameterMap---------得到的key:id
getParameterMap---------得到的key:label
getParameterMap---------得到的key:type
getParameterMap---------得到的key:description
getParameterMap---------得到的key:sort
getParameterMap---------得到的key:remarks
inputstream怎么获取呢