Is my method completely secure for xss - javascript

I have a chatting website and I wanna know if it is XSS secure. Let me explain what is my method.
I use this JQuery code to add new messages to screen that are incoming from ajax request:
$("#message").prepend(req.msg);
I know this is vulnerable but messages on DB are encoded. So when I send that payload message:
<text>TEST</test>
It stored on database as encoded:
<text>TEST</test>
I know a scenario that is bypassing .htmlentities() function in this answer. Shortly:
<input value=<%= HtmlEncode(somevar) %> id=textbox>
If we send a onclick=alert(document.cookie) input to this html code, it will become:
<input value=a onclick=alert(document.cookie) id=textbox>
So in this scenario, encoding < > ; & characters can't save us. But I didn't write my code like this so I think I'm secure from that vulnerabilty. My server responds a JSON like this:
..."msg" : "<tr><td><b>user:<\b> <text>TEST</test><\td><\tr>",...
And I directly .prepend() the "msg" data into page. I think this is fully secure. Hacker must use < > ; & characters to XSS. I am also encoding \ as \\. But maybe I am missing something. Is that fully secure ?

No. It's not. The way the data is transported makes it possible for someone to input unescaped HTML tags. Say that someone posted this payload:
\u003cscript\u003ealert(1)\u003c/script\u003e
This would be entered into the database as-is, because there is nothing for htmlencode to escape. However, when it's put in the JSON, and said JSON is parsed, it becomes this:
<script>alert(1)</script>
And executes the malicious code. A better solution would be to encode the raw data for JSON, and then use an HTML escapement mechanism client-side.
With the server-side escaping \ in the JSON, I think that is fully secure.

Related

Unescapping client data in C# to prevent XSS or other attack

To prevent web application input from XSS or any other attack, we would like to decode all the input coming from the client (browser).
To bypass the standard validation, bad guys encode the data. Example:
<IMG SRC=javascript:alert('XSS')>
That gets translated to
<IMG SRC=javascript:alert('XSS')>
In C#, we can use HttpUtility.HtmlDecode & HttpUtility.UrlDecode to decode the client input. But, it does not cover all the type of encoding. For example, following encoded values are not getting translated using above methods. However, all the browser decode and execute them properly. One can verify them at https://mothereff.in/html-entities as well.
<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">
It gets decoded to <img src=x onerror="javascript:alert('XSS')">
There are some more encoded text that does not get decoded using HtmlDecode method. In Java, https://github.com/unbescape/unbescape handles all such varieties.
Do we have a similar library in .Net or how do handle such scenarios?
Generally, you should not allow users to enter code into a text box.
Client side
Judging from the comments on your post, I'd simply add some client-side validation to prevent users from adding any sort of malicious inputs (such as verifying email fields contain emails) and then add the same validation techniques to your server.
Server side
As soon as you read a user's input in a model, you should validate and sanitise it before you do any further processing. Have a generic AntiXSS() class that can remove any malicious characters such as the <> symbols by checking myString.Contains("<") or myString.Contains(">") for example. If it does, remove that character. Validate your types. If you're checking the userEmail field, make sure it conforms to email syntax.
The general idea is that you can pass data to the client, but never trust any of the data that comes back from the client without first sanitising and cleansing everything.
I found the solution. HtmlUtility.HtmlDecode decodes the chars between ampersand '&' and semicolon ';'. However, the browsers do not bother about the suffixed ';'.
In my case, semicolon ';' was missing. I have written simple code to insert a semicolon before calling HtmlDecode method. Now, it's decoding properly as expected.

Is it possible to write ColdFusion statement within Javascript? [duplicate]

Can I use ColdFusion tags in JavaScript? For example:
<script language="javascript" type="text/javascript">
function validateUser() {
var userName = document.getElementById("username");
<CFQUERY DATASOURCE="mydatasourcename" NAME="getUser">
select USER_ID,COUNT(*) from user u
where u.firstname=userName;
</CFQUERY>
<cfif getUser.recordCount EQ 0>
<!--- Show eroor message --->
<cfelse>
<!--- Assign userId to hidden field --->
document.getElementById("userid").value=#USER_ID#
</cfif>
}
</script>
<input type='textbox' name='username' id='username' onblur=validateUser()/>
<input type='hidden' name='userid' id='userid'/>
When the end user enters their username, I would like to check in a database if this username exists or not. If it exists, I have to keep the userid in the hiddenfield or else throw an error.
Am I doing this correctly? If it is wrong, could you suggest the correct way?
Long version: http://blog.adamcameron.me/2012/10/the-coldfusion-requestresponse-process.html
Short version: no, you're not doing it right.
Mid-sized StackOverflow-friendly version: CFML code runs on the server side of a request; JavaScript runs on the client browser. And to be clear: the ColdFusion server never communicates with the browser directly at all: there's a web server in between. The client browser requests a file, the web server is configured to pass .cfm requests to the ColdFusion server, and it runs its code, returning the resulting string (eg: an HTML web page) to the web server which then returns that to the browser. That HTML might include JavaScript (inline or as external requests) which the browser will then execute.
Hopefully from that you can see that there's no direct interaction between server-side code and client-side code.
You have two facilities at your disposal to get the two communicating asynchronously though. Firstly: CFML code writes out text, but that text can be JS which the browser then runs when it finally receives it. Something like:
<cfset msg ="G'day world">
<script>alert("<cfoutput>#msg#</cfoutput>");</script>
Once the CFML server has processed that, what gets sent back to the browser is:
<script>alert("G'day world");</script>
In this way server-side code data can be used in client-side process if the server-side code "writes out" the data as part of its response. The example above is very trivial and not a "good practice" way of going about this, but it demonstrates the technique.
If you need to use JS code on the client to communicate back with the server, your only (real) recourse is to make an AJAX request back to the server to pass it client-side information for further server-side processing and for the server to respond with something. It is outwith the scope of your question to explain how best to do this, but there is a tonne of information out there to do this.
CFML provides some "wizards" to write HTML and JS out for you to facilitate this, but on the whole this is a bad approach to achieving this end, so I will not recommend it. However I will point you to a project which offers HTML/JS/CSS solutions to the inbuilt CFML wizardry: https://github.com/cfjedimaster/ColdFusion-UI-the-Right-Way
Back to the short answer: no, you cannot do what you are setting out to do for very good reasons, but if you revise your approach, you can achieve the ends that you want.
What you need to look at is passing the form fields back to the server via AJAX (jQuery makes this very easy), and run your <cfquery> code in a separate request.
If you read that blog article I mention from the outset (discloure: I wrote it, but I wrote it specifically for situations like this), then you'll understand why.
If you get stuck when working on part of your solution: raise another question more focused on whatever part you are stuck on.

Encoded HTML Tags in Query String still causing 500 Error

Hoping this is a quick fix.
I'm sending a query string from an AngularJS application to a web API coded in C#. The string contains a "message" value which may or may not contain url-encoded HTML tags.
Here's a basic example:
msg = "<a>"
querystring = "/SERVERPATH/?id=1&msg=%3Ca%3E"
Sending the string above to my API results in a 500 Error and the "msg" value never actually reaches the server. On the other hand, adding a space before and after the "a" causes everything to work great.
msg = "< a >"
querystring = "/SERVERPATH/?id=1&msg=%3C%20a%20%3E"
Is there a special type of validation occurring that I don't know about, and is there a way to configure these rules myself?
This is probably web.config related, but I could be totally wrong about that. Any input would be greatly appreciated.
The error code 500 is for internal server error. It means your code do reach your web service. By your example (where on putting a space before and after 'a' makes everything work) I am pretty sure that request validation is failing at your web service. To understand request validation please visit this link.
A word of caution: Try not to disable request validation on your web service. Doing that poses a huge security threat.
You may consider a work around, where instead of using URLEncode you can use HTMLEncode for encoding the query string values (values only).

Is it possible to shorten text in javascript to a php get request?

I have a very specific situation where a javascript page creates a new window with a meta-refresh in it which goes to a php page which has 1 variable with everything that the javascript page has put in it. Like so:
form.write('<meta http-equiv="refresh" content="0;URL=contentreq/index.php?data=');
Very long text with a lot of data (over 3000 characters)
form.write('" />');
The php page gets it like this:
$data=$_GET['data'];
$order=htmlentities(stripslashes(strip_tags($order)));
The problem is an existing app has this problem and I'm not in the situation to solve it properly so I was wondering if there is some way to encrypt/encode the data variable so that it will be a lot shorter. (My apache server does not like an 82512 characters long url...) Like tinyurl does, but PHP must be able to decode it back. I don't know the right term for it so my googling does not give me a lot of results.
The right term for this would be compression, but it won't work in this case either - the general URL length limit is 2000 characters because IE sets it that low, and if your data is tough to compress, you won't fit 3kb reliably into 2kb.
The only idea that comes to mind, if you can't store the data in a PHP session, is to "send the data ahead" using a Ajax POST request. That can carry much more than 3 kb. When the request has been sent, redirect to the next page, and have PHP fetch the transmitted data from the session or something.
It's not pretty, but the only idea that comes to my mind for this very specific scenario.
Another idea, although this is purely client-side so you can't pass on the URL, is storing the data in the browser-side local storage.
Reference:
Maximum URL length is 2,083 characters in Internet Explorer
jQuery Ajax
PHP Sessions
A URL shortening service saves hash-URL pairs and does redirects from the short URL to the long ones. This is not applicable to your case because your data URL part is dynamic.
An approach you can take is to put all your data in a cookie and let the PHP script read it from that cookie. Another option would be to POST you request to the PHP script, but this one may not be applicable.
Also note that there are differences between encryption, encoding and compression. You weren't asking for encryption or encoding, but compression.
Regards,
Alin
Compression was the term I was looking for. I've rebuilt the javascript function to do a post with the link Pekka sent. The thing now works with the bizzare long queries.
Thanks!
This is the code I've used:
document.body.innerHTML += '<form id="dynForm" action="http://example.com/" method="post"><input type="hidden" name="q" value="a"></form>';
document.getElementById("dynForm").submit();

JavaScript and JQuery - Encoding HTML

I have a web page that has a textarea defined on it like so:
<textarea id="myTextArea" rows="6" cols="75"></textarea>
There is a chance that a user may enter single and double quotes in this field. For instance, I have been testing with the following string:
Just testin' using single and double "quotes". I'm hoping the end of this task is comin'.
Additionally, the user may enter HTML code, which I would prefer to prevent. Regardless, I am passing the contents of this textarea onto web service. I must encode the contents of the textarea in JavaScript before I can send it on. Currently, I'm trying the following:
var contents $('<div/>').text($("#myTextArea").val()).html();
alert(contents);
I was expecting contents to display
Just testin' using single and double "quotes". I'm hoping the end of this task is comin'.
Instead, the original string is printed out. Beyond just double-and-single quotes, there are a variety of entities to consider. Because of this, I was assuming there would be a way to encode HTML before passing it on. Can someone please tell me how to do this?
Thank you,
If you're sending to a web service, you'll presumably be URL-encoding these (as part of a POST, for instance, either via form submission of Ajax). That will handle any necessary escaping at your end. The service at the other end is responsible for interpreting the input string correctly. If the service doesn't accept HTML tags, it's the service's job to do the necessary entity encoding (or whatever other kind of encoding it wants).
If the service doesn't take responsibility for this, it's open to errors in the client and attacks by people with nefarious intent. So it's really the other end's problem.
By using:
var contents = $("<div/>").text($("#myTextArea").val()).text();
alert(contents);
You display the textual contents instead of the contents in html.

Categories

Resources