javascript - Issue regarding the XSS (Cross Site Scripting) attack -

-

in email of page have following contents.

please <a href="emaildisclaimer-test.html?name=test&email=test@test.com" target="_blank">click here</a> regarding event.

when user clicks on "click here" page redirected html page. url parameter retrieved , displayed. here i'm facing problems of xss attack. can have idea regarding issue. how can prevent javascript?

from comment:

once redirected, parsed , displayed in html. url passing parameter edited , appended script tags (<img src="javascript:alert('xss');">). how can prevent appending parameter externally ??

as long content user supplies ever shown to same user, there's no xss issue. can hack themselves, no 1 else.

if you're accepting end-user content display other users, of course need paranoid xss.

i'm seeing 2 possible uses of content user:

  • not allowing them use html

  • allowing them provide (some) html

not allowing them use html

if want end user supply information not allowed html, make sure of < , & characters replaced entities:

// user str = "<img src='javascript:malicious();'>";  // disable str = str.replace(/&/g, "&amp;").replace(/</g, "&lt;");

now if include content on page, looks (html source, not rendered):

blah blah blah, user says: <img src='javascript:malicious();'>

...which when rendered is

blah blah blah, user says:

...e.g., tag not tag, it's text on page.

allowing them provide (some) html

if want user able supply html added pages, have use full html parser (server-side) whitelist of tags, attributes, , attribute values, stripping out isn't on whitelist. presumably whitelist not include script elements or javascript in attribute.

there many choose from. 1 of best known jsoup (a java library) has .net port (jsoup.net); microsoft has anti-samy library. , on. requires full-on, proper html parsing, , you'll want well-documented, well-supported library handle you, , you'll need server-side.

original answer:

i'm not seeing xss there, seeing potential security issue. making information available in plaintext in url, make open tampering. if 1 of , see

emaildisclaimer-test.html?name=test&email=test@test.com

i think: hey, wonder happens if try other people's information? , fill in other names , email addresses. (okay, don't really, if of mindset...)

instead, make harder guess valid information looks like:

emaildisclaimer-test.html?r=nzzinjflzdatzmrlmi0xmwuzlwezywmtmdgwmdiwmgm5yty2

now have little information work with. emaildisclaimer-test.html need access understanding r query param is.

that particular example base64-encoded uuid; un-encode , in server-side storage (for instance).

alternately, encrypt information public key (and base64-encode result), , emaildisclaimer-test.html decrypt (server-side) private key don't have have db of them. depends how secure need be.

note i've said "server side" couple of times there. extension, .html, suggests content static , emaildisclaimer-test.html uses query string client-side. you'll need server-side processing if want improve security.

how can prevent javascript?

i assume mean client-side javascript. if want purely client-side, never secure. can make harder figure out, raising bar (really slightly) on trying game system. (obfuscated code decoding obfuscated query string). you'll need server-side processing worthwhile protect it.


Comments

Post a Comment

Popular posts from this blog

google api - Incomplete response from Gmail API threads.list -

-
i plot number of emails in inbox on time using gmail api , i'm seeing lot of drop-outs, whatever reason i'm getting incomplete count of messages @ single time points. my plots here: https://plot.ly/~tdsmith/2 -- "drop-outs" i'm complaining trace shoots downwards , recovers previous level @ next timepoint. the code i'm using count emails here: https://github.com/tdsmith/gmail-plotly/blob/master/gmail-plotly.py#l47-l64 what can diagnose these faults?
Read more

Installing Android SQLite Asset Helper -

-
i need use ready made database. search solution on internet did not work until decided use mentioned library found here . however, found hard use library in installation procedures shallow beginners. i appreciate step step procedure on how use android studio. in struggle tried copying sources main/libs , adding line gradle did not work. use api 19 if helps. update here build.gradle // top-level build file can add configuration options common sub-projects/modules. buildscript { repositories { mavencentral() } dependencies { classpath 'com.android.tools.build:gradle:0.11.+' compile 'com.readystatesoftware.sqliteasset:sqliteassethelper:+' // note: not place application dependencies here; belong // in individual module build.gradle files } } allprojects { repositories { mavencentral() } } trying compile project error error:(9, 0) no signature of method: org.gradle.api.internal.artifacts
Read more

Qt Creator - Searching files with Locator including folder -

-
one quick question qtcreator : know possible use locator open files using "ctrl-k" shortcut. however, possible search files including locations? for example, let's want locate file named "main.cpp" in folder named "myfolder" , have lots of other main.cpp files. what should type locator in order open ? just type myfolder/main.cpp in locator
Read more