The javascript below extracts www.google.com from http://mysite.com?url=www.google.com
and writes it as an <a> href link
<script>
var urll = (window.location.search.match(/[?&;]url=([^&;]+)/) || [])[1];
document.write('url');
</script>
The problem with it is that when it extracts the url the <a> href value it becomes http://mysite.com/www.google.com so the if should state if the original url http://mysite.com?url=www.google.com doesn't have http:// infront of ?url= then add it after the href value to form url
In a comment for a previous question someone gave me this
if (link.substr(0, 7) !== 'http://') { link = 'http://' + link; }
but I really don't have a clue on how to implement it because I have never used an if in javascript.
Apart from anything else you're making yourself suspectible to XSS attacks:
Assume for a moment that the url parameter (which an external site can easily spoof by providing a link to your site) contains the string "><b>BOLD!</b><div class=". Suddenly your page would display some bold text, even 'though you never used a <b> tag in your site. And that's the most harmless example possible, because the attacker can equally well introduce arbitrary JavaScript into your page (including JS that steals the users cookie!).
Moral of the story: never blindly trust user input, and don't simply convert it to HTML.
To avoid these kinds of attacks (SQL Injection is a very similar attack against server-side code that builds SQL statements) do these two things:
validate the input to ensure that it's exactly what you expect and don't accept it if it doesn't. In your case that would mean that you'd want to make sure that the url parameter actually represents a valid URL.
Use user data only in "safe" ways that don't introduce the possibility of "re-interpretation" of the input. In your case it means that you must not build your HTML using string concatenation like this. Intead use document.createElement() to create your a element, set its href attribute to the desired value (sanitized as stated above) and then add the newly created a element in your DOM at the appropriate position.
It looks like you need https://developer.mozilla.org/en/JavaScript. "if" is the most basic element of any programming language, if you don't understand that you'll really need to run through a bunch of basics.
Related
We had a WhiteHat scan done of our site, and one of the vulnerabilites they returned was our URL appended with whscheck'*alert(13)*'a/. When we run the full URL (https://oursite.com/phorders3/index.php/whscheck'*alert(13)*'a/), the site loads and an alert with the value of 13 pops. Can anyone explain how this works? What exactly are the asterisks and the a/ doing?
The code in your page is using the value from the URL in a string literal in the Javascript, without escaping the value properly. That means that anyone can just put Javascript in the URL and it will execute in the page.
That could for example be used for cross site scripting by linking to your site with such an URL, and when someone uses the link the script will run in their browser, pick up some information that is private to that user and send it somewhere.
The apostrophes and the asterisks are used to break out of a string literal. If you have some code like this in the Javascript in the page:
var s = '<? echo $variable ?>';
where the variable contains the value from the URL, it would end up like this in the rendered page:
var s = 'whscheck'*alert(13)*'a';
The apostrophe makes the string literal end, and makes the following expression a part of the Javascript code instead of content in a string.
The asterisk is just an operator between the expressions. It's easier to put in an URL than the + operator that would otherwise be a natural choise.
More than likely this injection is landing somewhere between script tags () and the URL is being reflected in some sort of function or variable inside the script. Here is a breakdown of the injection and how/why it works.
' breaks out of the string literal in the variable definition
* causes the javascript to focus on that portion of code first and is often a way of getting around filters that disallow ;
alert(13) is the proof of concept that causes the alert box with 13 inside to show execution of javascript
* again is more than likely to bypass a filter or WAF blocking ;
' to re-open the string literal to make the syntax of the javascript correct
a is just some arbitrary input to go into the string
/ is to close off the path of the URL itself in what appears to be a RESTful URL structure.
There is an option in the Sentinel interface for you to ask the Whitehat engineers these kinds of questions directly, which is a very helpful resource.
Question
I would like to find out all occurrence of for example "stackoverflow" in loaded DOM using javascript and replace it with "unknown company"
This text can be a value in html text, html attribute, javascript string - generally all places which could be shown to user.
More details
I cannot search source code, because parts of it are in database, resources, external providers. That is why the easiest way for me is to validate client side.
I have a SPA and 99% is downloaded by AJAX
I am using backbone mixed with standard ASP.NET MVC (but I think it does not change anything)
I cannot provide any code because I do not have an idea how to start
My ideas
Create global handler on ajax success. Search and replace in responseText filtered by content-type: html, text, json, javascript
Read whole DOM into string and make search and replace, but I don't know if it is possible for all above resources.
I hope my question is clear enough, if not I will add more details.
$('.myelement').html(function(index, oldHtml) {
return oldHtml.replace(/stackoverflow/i, 'unknown company');
});
Something like that should replace the text on-the-fly for any given element (and children).
It's up to you to see if it's safe to assume that 'stackoverflow' doesn't appear in any HTML attributes, because they might get replaced too.
I'm xss-proofing my web site for javascript and xss attacks. It's written in ASP.NET Webforms.
The main part I'd like to test is a user control that has a textbox (tinyMCE attached to it).
Users can submit stories to site by writing in this textbox. I had to set validateRequest to false since I want to get users' stories in HMTL (tinyMCE).
How should I prevent javascript-xss attacks? Since users' stories are HMTL texts, I cannot use Server.HtmlEncode on their stories. In general, what's the safe way to receive HTML content from user, save and then display it to users?
If one user puts malicious code in the textbox and submits it, is there a chance that this could harm other people who view that text?
Thanks.
If you don't clean what the user puts in the textbox and submits, then yes, there is a chance for harm to be done.
You might want to check out the Microsoft Anti-Cross Site Scripting Library, as it is designed to help developers prevent just such attacks.
Also worth taking a look at is OWASP's Cross-site Scripting (XSS)
You might want to look into HttpUtility.HtmlEncode and HttpUtility.HtmlDecode as well. I just wrote a quick test, and it looks like it might address your concern in the comment below (about how to display the data to other users in the right format):
string htmlString = "<b>This is a test string</b><script>alert(\"alert!\")</script> and some other text with markup <ol><li>1234235</li></ol>";
string encodedString = HttpUtility.HtmlEncode(htmlString);
// result = <b>This is a test string</b><script>alert("alert!")</script> and some other text with markup <ol><li>1234235</li></ol>
string decodedString = HttpUtility.HtmlDecode(encodedString);
// result = <b>This is a test string</b><script>alert("alert!")</script> and some other text with markup <ol><li>1234235</li></ol>
ASP.NET Controls and HTMLEncode
I was going to post the information I had from my class, but I found a link that lists the exact same thing (for 1.1 and 2.0), so I'll post the link for easier reference. You can probably get more information on a specific control not listed (or 3.0/3.5/4.0 versions if they've changed) by looking on MSDN, but this should serve as a quick start guide for you, at least. Let me know if you need more information and I'll see what I can find.
ASP.NET Controls Default HTML Encoding
Here's a more comprehensive list from one of the MSDN blogs: Which ASP.NET Controls Automatically Encodes?
I would go with storing it encoded in database, then when showing Decode it and replace only the < with < if you say you need to preserve other things.
As far as I know, if you replace the < XSS is not really possible as any JS code must be inside <script> tags to be executed and by replacing, you'll get this in the HTML source:
<script> and the user will see <script> on the screen as the browser will parse the < entity.
This said, if you allow users to post "raw" HTML e.g. <b>this section is bolded</b> then you'll have to create "white list" of allowed tags then manually replace the < with the proper HTML for example:
string[] allowedTags = new string[] { "a", "b", "img" };
foreach (allowedTag in allowedTags)
output = output.Replace("<" + allowedTag, "<" + allowedTag);
Have you seen the OWASP guide on this
The best way would be to have an white list of allowed tags instead of a trying to come up with a way to prevent all script tags.
One solution on how to do this is here How do I filter all HTML tags except a certain whitelist?
But you also need to be aware people might have a link to external script via an image tag with a URL to their own server. See examples here http://ha.ckers.org/xss.html of the different types of attacks you need to defend against
First, this could look like duplicate for
How to prevent your JavaScript code from being stolen, copied, and viewed ?
And other, but it's not.
I search for ideas that can do, that stealing of JS can be very hard
Some of my examples:
of course obfuscate code
use a document.location an check if some
letter in domain equals to letter on that position where script
normally works
use part of this location in function call, something like eval('first_part_of_function_name'+part_from_location+'third_pard(parameters)');
store some important constant need in application in some element in your page-design, and get it from there in JS like $('#header div.onright a rel')
get some portion of script by AJAX and eval() it
add to script some unnecessary function, instructions.
check for existance of some elements in page (copyright text on footer)
generate some time-variable hash in PHP and put in JS, where will be function that checks this hash and current time to work or not
maybe use of other JS files ? or events binded to elements hidden in very common scripts (like bind some action in jquery-min.X.X.X.js file where all jquery is.
Are they good ideas ? Have some more ? I think that most important can be variety of things wich you can do with document location, is that the only element that will be driffrent than working in normal coditions on our site ?
No matter how complex you make your code, it can always be read, if necessary with abstract interpretation, i.e. automatically capturing the essence of your code. Code without knowledge of internals, variable names (I assume you're already using minimization, for example with the YUI compressor), documentation, support, and generalization is worthless for anyone else.
If a competitor (or potential customers) of yours is stealing your code, consider simply suing them. If it's some random guy on the internet, why do you care?
One more tool http://closure-compiler.appspot.com/home
I'm currently working on a Safari Extension to create a printable form based upon information provided within a website. A custom CSS stylesheet wouldn't be ideal, instead I was hoping that it would be possible to do the following...
If I were to have the following DIV on page called name.html
<div id="name">John</div>
Is there a way of getting the contents of #name and passing it into a text field in another page called form.html? Ideally, avoiding server side scripts?
To retrieve the element's text (as in ALL the text, subnodes included):
var value = document.getElementById('name').textContent;
Then to assigned the text to the input field in another page:
document.getElementById('myField').value = value;
Of course that doesn't work across pages. If you don't want to use server-side code for this, one simple way of doing it would be to pass the code in a query string, redirect to your form page, and retrieve the variable from the query parameters. Which sounds simpler than it actually is, as you'd need a function to add a query parameter, another one to read a query parameter, and to be sure that everything is encoded and decoded properly.
Another - bad - alternative could be to use cookies via JavaScript.
Another - better but not yet widespread - alternative could to use the WebStorage API. (see localStorage and/or sessionStorage). This will require a modern browser supporting these APIs (for instance, Google Chrome, IE9, Firefox 4, etc...)
The embedded links will provide the missing parts.