Highlighted

XSS - I'm overthinking this..

LEGEND ,
Nov 23, 2016

Copy link to clipboard

Copied

Hello, all,

I'm overly concerned about XSS attempts on my sites.  I cannot seem to find a decent solution.

I know that as far as using URL parameters on server-side processing, you should use canonicalize() to reduce encoded script to what a potential bad actor intended to run on the server, and sanitize from there.  Apparently, whitelisting is a very effective method.  But, what about when whitelisting isn't an option (like, for example, input into a database, or used as a conditional for database processing)?

Also, what about client-side effects?  I've seen where URL parameters can be used to inject JavaScript code into a page.  Now, I know that EncodeForURL() and others should be used, but how can one manipulate the URL so that XSS would be rendered useless??  Without using a redirect like CFLOCATION??

V/r,

^_^

PS:  It's the day before Thanksgiving Day, in the USA, so I won't be on much between now and Monday.  Happy Thanksgiving Day to all American users!

Views

283

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

XSS - I'm overthinking this..

LEGEND ,
Nov 23, 2016

Copy link to clipboard

Copied

Hello, all,

I'm overly concerned about XSS attempts on my sites.  I cannot seem to find a decent solution.

I know that as far as using URL parameters on server-side processing, you should use canonicalize() to reduce encoded script to what a potential bad actor intended to run on the server, and sanitize from there.  Apparently, whitelisting is a very effective method.  But, what about when whitelisting isn't an option (like, for example, input into a database, or used as a conditional for database processing)?

Also, what about client-side effects?  I've seen where URL parameters can be used to inject JavaScript code into a page.  Now, I know that EncodeForURL() and others should be used, but how can one manipulate the URL so that XSS would be rendered useless??  Without using a redirect like CFLOCATION??

V/r,

^_^

PS:  It's the day before Thanksgiving Day, in the USA, so I won't be on much between now and Monday.  Happy Thanksgiving Day to all American users!

Views

284

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Nov 23, 2016 0
Adobe Community Professional ,
Nov 28, 2016

Copy link to clipboard

Copied

@Wolfshade, you can never overthink security risks. I share your concerns.

Infact I, too, spent some time last year, looking into this very issue for our own sites. I found, a bit to my dismay, that the attacker could strike from many fronts. It means you have to defend on many fronts.

I drew up a check-list. It contained, among others, url-encode, canonicalize, ScriptProtect, code to detect simultaneous logins, HTTPOnly cookies and Content Security Policy. When I was drawing up the list, I found these two sites useful

Cross-site scripting - Wikipedia

Cross-site Scripting (XSS) - OWASP

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Nov 28, 2016 0
LEGEND ,
Nov 30, 2016

Copy link to clipboard

Copied

Thanks for the links, BKBK​.  I'll see if there's anything useful I can use.

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Nov 30, 2016 0
New Here ,
Dec 12, 2016

Copy link to clipboard

Copied

My team has been working on tightening up XSS vulnerabilities on our old code.

One of the things you said really bothered me: " like, for example, input into a database, or used as a conditional for database processing"

I really, really hope you are not just taking URL vars and using them in your queries. THAT is an XSS problem.

So, just a few tips we've put together during our project

1. Don't use URL variables unless you have to (framework?)

2. move URL vars to client (presumes client vars are db stored on server side - Cookies can be hacked).

3. Use <cfsqlqueryparam ... > in all queries

4. You can whitelist url vars, but you also have to validate accepted values. (e.g., "id" must be integer, "name" is alpha, with a max length ...)

5. No hidden form values (these can be spoofed)

6. Use CreateUUID() for unique identifiers and validate always

7. NEVER EVER display user input back to the screen.

just a few off the top of my head.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Dec 12, 2016 0