Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Are the following characters XSS vulnerable?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are the following characters XSS vulnerable?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2012 08:36 AM
Hi,
We are trying to implement security in our application, wherein we need to encode and decode the user inputs.
So can anybody please provide me a list of all the characters that are disallowed or dangerous, that I need to encode?
For eg. for "<" character we use <, for ">" character we use >
so can anybody please tell me if the following mentioned characters are XSS vulnerable, and if yes, then how to encode them?
1) ! - exclamation mark - characters for additional command execution
2) - hyphen - can be used in database queries, and the creation of negative numbers.
3) /\ = The forward-slash and back-slash are often used for faking paths and queries
4) { } [ ] = Curly brackets and square brackets are often used as script, program or regex expressions.
5) *(asterisk) = Often used in database queries for “all”.
eg. <script>x=""*alert(1)*"";y=42;</script>
6) `(Grave accent) = If you need to use both double and single quotes you can use a grave accent(`) to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don't know about grave accents.
<IMG SRC=`javascript:alert("Hello, 'XSS'")`>
7) / (division or forward slash) -
<script>x=""/alert(1)/"";y=42;</script>
😎 Bitwise “xor” operator: (^)
<script>x=""^alert(1)^"";y=42;</script>
9) Bitwise Left Shift (<<)
<script>x=""<<alert(1)<<"";y=42;</script>
10) Bitwise Right Shift (>>)
<script>x="">>alert(1)>>"";y=42;</script>
11) Bitwise Right Shift With Zeros
<script>x="">>>alert(1)>>>"";y=42;</script>
12) Ternary Conditional Expression
<script>x=""?alert(1):"";y=42;</script>
Please let me know if I need to encode these characters too. I am using Java for development.
Thanks
We are trying to implement security in our application, wherein we need to encode and decode the user inputs.
So can anybody please provide me a list of all the characters that are disallowed or dangerous, that I need to encode?
For eg. for "<" character we use <, for ">" character we use >
so can anybody please tell me if the following mentioned characters are XSS vulnerable, and if yes, then how to encode them?
1) ! - exclamation mark - characters for additional command execution
2) - hyphen - can be used in database queries, and the creation of negative numbers.
3) /\ = The forward-slash and back-slash are often used for faking paths and queries
4) { } [ ] = Curly brackets and square brackets are often used as script, program or regex expressions.
5) *(asterisk) = Often used in database queries for “all”.
eg. <script>x=""*alert(1)*"";y=42;</script>
6) `(Grave accent) = If you need to use both double and single quotes you can use a grave accent(`) to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don't know about grave accents.
<IMG SRC=`javascript:alert("Hello, 'XSS'")`>
7) / (division or forward slash) -
<script>x=""/alert(1)/"";y=42;</script>
😎 Bitwise “xor” operator: (^)
<script>x=""^alert(1)^"";y=42;</script>
9) Bitwise Left Shift (<<)
<script>x=""<<alert(1)<<"";y=42;</script>
10) Bitwise Right Shift (>>)
<script>x="">>alert(1)>>"";y=42;</script>
11) Bitwise Right Shift With Zeros
<script>x="">>>alert(1)>>>"";y=42;</script>
12) Ternary Conditional Expression
<script>x=""?alert(1):"";y=42;</script>
Please let me know if I need to encode these characters too. I am using Java for development.
Thanks
Labels:
- Labels:
-
Archive
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2012 08:47 AM
The answer is very much "it depends"…
- It depends what code is consuming the user input
- It depends whether you want to display the user input back to the user
- It depends whether you want to POST the input, or include it on a URL
We have a client-side function called Alfresco.util.encodeHTML() which will make any string safe to display on a web page. there is also the JavaScript function encodeURIComponent() should you need to put these strings on a URL.
There's no definitive list of dangerous characters, simply because we don't know what you're ultimately doing with that user input.
Thanks,
Mike
- It depends what code is consuming the user input
- It depends whether you want to display the user input back to the user
- It depends whether you want to POST the input, or include it on a URL
We have a client-side function called Alfresco.util.encodeHTML() which will make any string safe to display on a web page. there is also the JavaScript function encodeURIComponent() should you need to put these strings on a URL.
There's no definitive list of dangerous characters, simply because we don't know what you're ultimately doing with that user input.
Thanks,
Mike
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2012 10:58 AM
Hello MikeH,
Thanks for the quick reply. Yes, we do want to display the code to the user. In our application, we will be taking user input, then we are encoding the user input with certain characters, which is listed below. Then this encoded value will be inserted in the Database. There are several places in application where we will be displaying this encoded vale i.e. user input, to the user.
[1] | (pipe sign)
[2] & (ampersand sign)
[3] ; (semicolon sign)
[4] $ (dollar sign)
[5] % (percent sign)
[6] @ (at sign)
[7] ' (single apostrophe)
[8] " (quotation mark)
[9] \' (backslash-escaped apostrophe)
[10] \" (backslash-escaped quotation mark)
[11] <> (triangular parenthesis)
[12] () (parenthesis)
[13] + (plus sign)
[14] CR (Carriage return, ASCII 0x0d)
[15] LF (Line feed, ASCII 0x0a)
[16] , (comma sign)
[17] \ (backslash)
So if the user enter's something malicious string or code, then that string will be searched for a list of characters like "<", ">" etc. listed below. If a match is found then it will be encoded.
We were using AppScan tool to test our application, and found that there are 17 characters which are vulnerable to XSS, so we must encode them. Please see the following link for the same.
http://www.51testing.com/?uid-13997-action-viewspace-itemid-77651
Now I need to find if there are any other disallowed characters which may be vulnerable to XSS. So after googling out, I have found above characters, but I need to be sure that we will need to encode them.
I know that there are many pre-defined function available to encode, like one you said the JavaScript function encodeURIComponent(), but in our application we will be maintaining a whitelist of characters which will be stored in Database something like following.
[< <],[> >], and so on for other characters.
Here "[]"(square brackets) are used to contain the vulnerable characters. it contains the characters followed by space, and then followed by Html entity code for the character. So [< <] contains less than(<) character followed by its Html Entity code.
So when the application starts, the application will query the Database to get all the characters, and keep them in a map.
So when the user inputs something, the application will check the string against the characters in the map, and if a match is found, then replace the character with its equivalent Html entity code.
So I have been asked to find out any other characters apart from 17 listed above, that will be vulnerable to XSS.
Thanks & Regards,
Dines
Thanks for the quick reply. Yes, we do want to display the code to the user. In our application, we will be taking user input, then we are encoding the user input with certain characters, which is listed below. Then this encoded value will be inserted in the Database. There are several places in application where we will be displaying this encoded vale i.e. user input, to the user.
[1] | (pipe sign)
[2] & (ampersand sign)
[3] ; (semicolon sign)
[4] $ (dollar sign)
[5] % (percent sign)
[6] @ (at sign)
[7] ' (single apostrophe)
[8] " (quotation mark)
[9] \' (backslash-escaped apostrophe)
[10] \" (backslash-escaped quotation mark)
[11] <> (triangular parenthesis)
[12] () (parenthesis)
[13] + (plus sign)
[14] CR (Carriage return, ASCII 0x0d)
[15] LF (Line feed, ASCII 0x0a)
[16] , (comma sign)
[17] \ (backslash)
So if the user enter's something malicious string or code, then that string will be searched for a list of characters like "<", ">" etc. listed below. If a match is found then it will be encoded.
We were using AppScan tool to test our application, and found that there are 17 characters which are vulnerable to XSS, so we must encode them. Please see the following link for the same.
http://www.51testing.com/?uid-13997-action-viewspace-itemid-77651
Now I need to find if there are any other disallowed characters which may be vulnerable to XSS. So after googling out, I have found above characters, but I need to be sure that we will need to encode them.
I know that there are many pre-defined function available to encode, like one you said the JavaScript function encodeURIComponent(), but in our application we will be maintaining a whitelist of characters which will be stored in Database something like following.
[< <],[> >], and so on for other characters.
Here "[]"(square brackets) are used to contain the vulnerable characters. it contains the characters followed by space, and then followed by Html entity code for the character. So [< <] contains less than(<) character followed by its Html Entity code.
So when the application starts, the application will query the Database to get all the characters, and keep them in a map.
So when the user inputs something, the application will check the string against the characters in the map, and if a match is found, then replace the character with its equivalent Html entity code.
So I have been asked to find out any other characters apart from 17 listed above, that will be vulnerable to XSS.
Thanks & Regards,
Dines
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2012 12:08 PM
From that article, you don't need to filter out all those characters if you're just worried about XSS. From an Alfresco Share point of view, using the encodeHTML() function I mentioned above should be sufficient for user-visible strings.
Note if you use the Alfresco APIs rather than trying to access the database directly (we strongly recommend you stay away from the database itself) then you also won't be open to SQL injection attacks.
It sounds a little like you've got your own web app - perhaps using Alfresco as a headless repository? In that case you would probably be wise to employ a specialist web security consultant to test your app before making it live.
Thanks,
Mike
Note if you use the Alfresco APIs rather than trying to access the database directly (we strongly recommend you stay away from the database itself) then you also won't be open to SQL injection attacks.
It sounds a little like you've got your own web app - perhaps using Alfresco as a headless repository? In that case you would probably be wise to employ a specialist web security consultant to test your app before making it live.
Thanks,
Mike
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2012 01:02 PM
Hi Mike,
Thanks for the reply. Actually I am working for a company, where we already have a web application. Now we are trying to implement security in our application. We won't be using any open source API for that, since this decision has already been taken, and its not in my hands. Somebody had done initial analysis using AppScan tool, and found the 17 characters mentioned in the link. Now my manager has asked me to find any additional characters that we will need to encode. So I am just googling out to find any such characters. I have found the characters, that I have mentioned in my earlier post. But I need to confirm those characters. I don't need to encode them, since that part is handled by different team. I just need to provide them my analysis, stating any other disallowed characters, apart from 17 characters mentioned in AppScan test.
Thanks,
Dinesh
Thanks for the reply. Actually I am working for a company, where we already have a web application. Now we are trying to implement security in our application. We won't be using any open source API for that, since this decision has already been taken, and its not in my hands. Somebody had done initial analysis using AppScan tool, and found the 17 characters mentioned in the link. Now my manager has asked me to find any additional characters that we will need to encode. So I am just googling out to find any such characters. I have found the characters, that I have mentioned in my earlier post. But I need to confirm those characters. I don't need to encode them, since that part is handled by different team. I just need to provide them my analysis, stating any other disallowed characters, apart from 17 characters mentioned in AppScan test.
Thanks,
Dinesh
Related Content
- CVE-2024-38816 Vulnerability in Alfresco Forum
- Alfresco community edition and Apache Solr 6.6.5 vulnerabilities in Alfresco Forum
- created a broken user with alfresco share user upload in Alfresco Forum
- Reporting discovered security vulnerabilities in Alfresco Forum
- Reporting discovered security vulnerabilities in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
