topic Re: Are the following characters XSS vulnerable? in Alfresco Archive

Are the following characters XSS vulnerable?

neufmartial — Fri, 30 Mar 2012 12:36:45 GMT

Hi, We are trying to implement security in our application, wherein we need to encode and decode the user inputs.So can anybody please provide me a list of all the characters that are disallowed or dangerous, that I need to encode?For eg. for "<" character we use <, for ">" character

Re: Are the following characters XSS vulnerable?

mikeh — Fri, 30 Mar 2012 12:47:58 GMT

The answer is very much "it depends"…

- It depends what code is consuming the user input
- It depends whether you want to display the user input back to the user
- It depends whether you want to POST the input, or include it on a URL

We have a client-side function called Alfresco.util.encodeHTML() which will make any string safe to display on a web page. there is also the JavaScript function encodeURIComponent() should you need to put these strings on a URL.

There's no definitive list of dangerous characters, simply because we don't know what you're ultimately doing with that user input.

Thanks,
Mike

Re: Are the following characters XSS vulnerable?

neufmartial — Fri, 30 Mar 2012 14:58:09 GMT

Hello MikeH,

Thanks for the quick reply. Yes, we do want to display the code to the user. In our application, we will be taking user input, then we are encoding the user input with certain characters, which is listed below. Then this encoded value will be inserted in the Database. There are several places in application where we will be displaying this encoded vale i.e. user input, to the user.

[1] | (pipe sign)
[2] & (ampersand sign)
[3] ; (semicolon sign)
[4] $ (dollar sign)
[5] % (percent sign)
[6] @ (at sign)
[7] ' (single apostrophe)
[8] " (quotation mark)
[9] \' (backslash-escaped apostrophe)
[10] \" (backslash-escaped quotation mark)
[11] <> (triangular parenthesis)
[12] () (parenthesis)
[13] + (plus sign)
[14] CR (Carriage return, ASCII 0x0d)
[15] LF (Line feed, ASCII 0x0a)
[16] , (comma sign)
[17] \ (backslash)

So if the user enter's something malicious string or code, then that string will be searched for a list of characters like "<", ">" etc. listed below. If a match is found then it will be encoded.

We were using AppScan tool to test our application, and found that there are 17 characters which are vulnerable to XSS, so we must encode them. Please see the following link for the same.

http://www.51testing.com/?uid-13997-action-viewspace-itemid-77651

Now I need to find if there are any other disallowed characters which may be vulnerable to XSS. So after googling out, I have found above characters, but I need to be sure that we will need to encode them.

I know that there are many pre-defined function available to encode, like one you said the JavaScript function encodeURIComponent(), but in our application we will be maintaining a whitelist of characters which will be stored in Database something like following.

[< <],[> >], and so on for other characters.

Here "[]"(square brackets) are used to contain the vulnerable characters. it contains the characters followed by space, and then followed by Html entity code for the character. So [< <] contains less than(<) character followed by its Html Entity code.

So when the application starts, the application will query the Database to get all the characters, and keep them in a map.

So when the user inputs something, the application will check the string against the characters in the map, and if a match is found, then replace the character with its equivalent Html entity code.

So I have been asked to find out any other characters apart from 17 listed above, that will be vulnerable to XSS.

Thanks & Regards,
Dines

Re: Are the following characters XSS vulnerable?

mikeh — Fri, 30 Mar 2012 16:08:13 GMT

From that article, you don't need to filter out all those characters if you're just worried about XSS. From an Alfresco Share point of view, using the encodeHTML() function I mentioned above should be sufficient for user-visible strings.

Note if you use the Alfresco APIs rather than trying to access the database directly (we strongly recommend you stay away from the database itself) then you also won't be open to SQL injection attacks.

It sounds a little like you've got your own web app - perhaps using Alfresco as a headless repository? In that case you would probably be wise to employ a specialist web security consultant to test your app before making it live.

Thanks,
Mike

Re: Are the following characters XSS vulnerable?

neufmartial — Sat, 31 Mar 2012 17:02:05 GMT

Hi Mike,

Thanks for the reply. Actually I am working for a company, where we already have a web application. Now we are trying to implement security in our application. We won't be using any open source API for that, since this decision has already been taken, and its not in my hands. Somebody had done initial analysis using AppScan tool, and found the 17 characters mentioned in the link. Now my manager has asked me to find any additional characters that we will need to encode. So I am just googling out to find any such characters. I have found the characters, that I have mentioned in my earlier post. But I need to confirm those characters. I don't need to encode them, since that part is handled by different team. I just need to provide them my analysis, stating any other disallowed characters, apart from 17 characters mentioned in AppScan test.

Thanks,
Dinesh