I've been setting a div equal to some user inputted data using query $('#div').text(data). The security I had was to pass the data processed first on server side, returning htmlentities(data) etc. I noticed that when the output is displayed, the entities are not decoded. They are decoded if I use jquery html(data) instead.
Since it doesn't appear that the html is rendered for the data in text(data), would it be okay to pass anything to it without first using htmlentities?
What is the proper security setup for this scenario? I read that html(data) was susceptible to some security holes, so that's why I was trying text(data) instead.
Related
The results for OWASP's ZAP has been very useful for eliminating vulnerable parts of my website.
However, I've found a lot of results that I simply cannot fix. For example, one of the get parameters it has put javascript:alert(1); in to the variable. This variable is then output by PHP in a hidden element's value attribute. So the final HTML looks like:
<input type="hidden" name="someName" id="someID" value="javascript:alert(1);"/>
This value is normally used to populate a drop down with JavaScript. If it's 1 it shows optional search filters, if 0 it shows nothing. So it's only used in a string comparison that fails.
I see no way for this to be exploited, the alert does not run like other attacks ZAP has shown me. The output is encoded so they cannot inject HTML by ending the quotes or element early with "/> like previously found attacks, as these characters become their HTML entities counterpart.
Is this just a false positive from ZAP matching the input string in the page source, as encoding javascript:alert(1); still equals exactly the same as javascript:alert(1);?
The vulnerability means that ZAP managed to insert arbitrary code into that input field. This means that you're most likely not validating user input somewhere in the app.
You should be more careful about generating that input field, and ensure that the GET parameter(s) used to generate it are validate accordingly.
Remember, it's better to be safe, than sorry (i.e. have your app compromised).
Yes, OWASP's ZAP tries to find vulnerabilities on your website, and it works automatically.
If it's sucesfull in adding ANY PART of code into your website, the website is considered vulnerable automatically.
If your website only accepts "0" or "1" as the value of hidden input, and doesn't save or prompt the value anywhere (not even to cookies), this is not a security vulnerability, and you're safe.
Your HTML looks safe to me. However, consider a similar case:
test
This will produce a link that will execute JavaScript. It could be that ZAP is being extra careful so that cases like this get picked up.
For this specific case, you should whitelist what URL schemes are allowed in user provided links. For example only allow http, https, mailto, etc.
For example I have a Javascript-powered form creation tool. You use links to add html blocks of elements (like input fields) and TinyMCE to edit the text. These are saved via an autosave function that does an AJAX call in the background on specific events.
The save function being called does the database protection, but I'm wondering if a user can manipulate the DOM to add anything he wants(like custom HTML, or an unwanted script).
How safe is this, if at all?
First thing that comes to mind is that I should probably search for, and remove any inline javascript from the received html code.
Using PHP, JQuery, Ajax.
Not safe at all. You can never trust the client. It's easy even for a novice to modify DOM on the client side (just install Firebug for Firefox, for example).
While it's fine to accept HTML from the client, make sure you validate and sanitize it properly with PHP on the server side.
Are you saving the full inline-html in your database?
If so, try to remake everything and only save the nessesary data to your backend. ALL fields should also be controlled if they are recieved in the expected way.
All inline-js is easily removed.
You can never trust the user!
Absolutely unsafe, unless you take the steps to make it safe of course. StackOverflow allows certain tags, filtered so that users can't do malicous things. You'll definately need to do something similar.
I'd opt to sanitize input server side so that everyone gets their input sanitized, whether they've blocked scripts or not. Using something like this: http://www.phpclasses.org/package/3746-PHP-Remove-unsafe-tags-and-attributes-from-HTML-code.html or http://grom.zeminvaders.net/html-sanitizer implemented with AJAX would be a pretty good solution
I have a script that registers users based on their user input. This uses prepared statements plus whitelists to prevent sql injection. But I am struggling to understand the prevention of XSS.
From what I understand, you only need to prevent XSS if you are outputting HTML onto the page? What does this mean???
Im guessing that with this register page it doesn't apply because I am not outputting HTML to the web page? Is that right?
If I was to prevent XSS, do I use htmlspecialchars?
Generally correct, if you are having any returned values show up on the page, or if you are inserting information into the database for later retrieval and display (like user profile information) you will want to use htmlspecialchars.
For me, when I do my user registration, if they fail to enter a correct value in an input field, I redisplay the page with the values they entered. In this case, I have it encoded with htmlspecialchars.
If at any point ever, you plan on redisplaying the information from the DB into a webpage (as mentioned with profiles and the like) you should use htmlspecialchars.
Better safe than sorry I always say - never trust user input
Basically, XSS happens when you are taking the user's input un-sanitized and display in your webpage.
For example: A user inputs
<script>alert('hello you are hacked');</script>
In a text box, and you show this in your webpage after it is registered like
Hello, $username
This suddenly gets turned into
Hello, <script>alert('hello you are hacked');</script>
This is one of the form of XSS
One of a effiecient way to prevent XSS is like this
echo htmlspecialchars($varname, ENT_QUOTES, 'UTF-8');
From what I understand, you only need to prevent XSS if you are
outputting HTML onto the page? What does this mean???
XSS is an attack carried out by the server outputting HTML (in practice, Javascript) to the client when it did not mean to do so (and obviously when that HTML was specially crafted and supplied by a hostile user).
Im guessing that with this register page it doesn't apply because I am
not outputting HTML to the web page? Is that right?
If you are not outputting anything that comes from user input you are safe.
If I was to prevent XSS, do I use htmlspecialchars?
Yes, that is sufficient.
I am passing a textarea input boxs' contents via POST to my php file from html (no javascript allowed).
I then use simplexml to get the feed at the url the user entered.
Unfortunately, the user can enter anything into the textarea. Which I am told is dangerous.
What is the recommended way to clean and secure the POST contents using PHP to get them ready and safe for the simplexml procedure?
(basically, to be sure they are not malicious and check they are a valid url)
Content inside a $_POST array are strings, so there's nothing ineherently unsafe there.
User enters php code? It surely won't be executed, so no problem here (this, among many others, is a reason not to use such things as eval()). So whatever php function or command he writes it will be read as a simple string, and string are no harmful whatever they contain.
User enters malicious javascript? Still no problem, as javascript inside php, or inside a database for what that matters, is pretty useless since it needs a browser to execute.
This leads to the real issue: user supplied contents needs to be "sanitized" only right before passing it to the target medium. If you're going to feed a database , use the escaping tools provided by your engine. If you're going to output it on the webpage, that's when you need to sanitize from malicious XSS attacks.
Sanitizing a POST array per se , before actually doing anything with its content, is wrong as you never know for sure when and where that content needs to be used; so don't even think to use strip_tags() or analogue functions that comes to your mind right after you get the POST value, but pass it as is and add the necessary escaping/sanitizing just when needed.
What you actually need to do, then, you only know, so act accordingly
Which I am told is dangerous.
it is wrong.
What is the recommended way to clean and secure the POST contents
it am afraid there is nothing to secure
Every now and then, I get unusual data saved to the database from my PHP form that looks like this:
Mr. Smith&amp;amp;amp;amp;amp;amp;#039;s
What could be causing this, and is there a better way to remove the entities than using preg_replace, since the php decode functions don't properly decode the entire thing?
I would suggest looking at the code processing data from the form pre-insertion into the database. If you are sanitising the data to be displayed on a web page use htmlentities($var); if you are are only sanitising it for security purposes look into prepared statements / stored procedures or just mysql_real_escape_string($var). If all else fails post the code and we'll have a look.
This must be due to some technical problem. The best way to decode the entities and after that if you find something like:
/&([a-z]+|#[0-9]+);/
Do not accept the form, just alert the user about the invalid value.
You could take a look at Codeingiters' source code where they remove entities at https://bitbucket.org/ellislab/codeigniter/src/c07dcadf094e/system/libraries/Security.php in the xss_clean method. This will give you a good idea of how to clean most of them more effectively.