ajax call vulnerable to xss attack - ajax

I have a simple web application in which I make a call to a java servlet using ajax from a jsp page (via post). In the servlet I take data from the database and formulate a JSON and retreive in the jsp page . I then use eval function to parse the json and display the data in the division using the innerHTML property . Somehow, this approach seems to be vulnerable to xss attacks . Can someone provide some pointers on how XSS attck can be prevented in this use case?

This sounds like DOM Based XSS. There are a few ways of preventing DOM Based XSS. Either you have to html encode the data on the server or the client. HTML encoding data in the database should always be avoided because it changes the value of the data and will affect how the data is sorted, ect. XSS is an output problem so it should be solved by the code that is building the HTML, which in your case is JavaScript.

Newer browsers support JSON.parse().For older browsers use json2.js.
You should also properly encode the JSON so values cannot break out of quotes etc. Find a decent json encoder and use that on the server side.

Related

Apache wicket Base64 encode the Ajax form data before submission

Our application(based on Apache Wicket framework) actively uses Ajax in the form of AjaxButton, AjaxLinks etc. We want to encode the form data request in Base64 format before form submission and later decode it just after form submission. Basically, only the Base 64 encoded text will be a part of request data.
In other applications which uses javascript and java(struts framework), we have applied the encoding logic in javascript before document.form.submit and then on Java/server side , the decoding logic is applied.
Any idea how can we achieve the same in Apache wicket which follows Ajax form submission logic?
We tried AjaxCallListener but could not get hold of the request data. Hence, could not apply the encoding logic on the request
At the server side it should be easy to intercept the parameters' read by extending ServletWebRequest and overriding generatePostParameters() method.
Wicket uses jQuery to make the Ajax calls. But I see no way how to manipulate the data parameter before making the call.

jqgrid autoencode=true encode postdata

I'm trying to fix XSS vulnerabilities across my web application and I'm stuck with jqGrid.
I activated 'autoencode' for all my grids and the documentation says : "When set to true encodes (html encode) the incoming (from server) and posted data (from editing modules).".
My problem is that I don't understand why posted data are encoded. This way I'm getting html escaped text in my database. So this database is no more readable by an other application (or it has to decode all texts), and in addition database search doesn't work any more.
So, is it possible to only encode data retrieved from database and post data as it ?
Currently, I disabled autoencode and added formatter on all my columns to escape all text. Is it the only way ?
You can use serializeEditData (in case of usage form editing), serializeRowData (in case of usage inline editing) or serializeCellData (in case of usage cell editing) to change the data which will be send to the server during editing. To decode the data you can use for example $.jgrid.htmlDecode. You can enumerate all properties of posted data and decode the value of the corresponding property. Alternatively you can use decoding of posted data on the server side. Any technology which you use on the server provide simple method which can be used for decoding. For example in ASP.NET one can use HtmlDecode/HtmlEncode methods of HttpServerUtility.

How to know which type of data coming from back-end in ajax?

Working in front-end we never know the back-end language so how can I know whether the
data coming from back-end is in json or in text or in html or in xml. We don't have an authority or access to back-end language.
Some languages declare this in the first line or 2... Why don't you just read the first few lines or the code?
Many languages will allow you to parse XML, not ideal to wrap it in a catch but it would work. However, you neglected to state what language you are using.
However, it may be worth while agreeing on a format, something like XML which you can then de-serialize ?
You can check Content-Type in Response Headers to know the response data type.

How can I validate HTML input to prevent XSS?

For example, StackExchange whitelists a subset of HTML:
https://meta.stackexchange.com/questions/1777/what-html-tags-are-allowed-on-stack-exchange-sites
How could you do that in your controller to make sure user input is safe?
This approach is not identical to StackExchange, but I found the AntiXSS 4.x library to a simple way to sanitize the input to allow "safe" HTML.
http://www.microsoft.com/en-us/download/details.aspx?id=28589 You can download a version here, but I linked it for the useful DOCX file. My preferred method is to use the NuGet package manager to get the latest AntiXSS package.
You can use the HtmlSanitizationLibrary assembly found in the 4.x AntiXss library. Note that GetSafeHtml() is in the HtmlSanitizationLibrary, under Microsoft.Security.Application.Sanitizer.
content = Sanitizer.GetSafeHtml(userInput);
This can be done before saving to the database. The advantage is removing malicious content immediately, and not having to worry about it when you output it. The disadvantage is that it won't handle any existing database content, and you do have to apply this any time you're making database updates.
The alternate approach is to use this method every time you output content.
I'd love to hear what the preferred approach is.
You can try JSoup parser which along with sanitizing your HTML input will also provide many functionalities out of the box.
You can visit http://jsoup.org/ for more details on the JSoup and download the binary from there.
It provides DOM method to traverse through your HTML tree and get desired elements.
Although sanitizing your HTML generated code to prevent XSS attack is a goodd practice, but I would strongly advise to avoid using any parser to avoid XSS attach by sanitizing your HTML input.
If your HTML tree is very big then the response time would increase manifold.Instaed of sanitizing your HTML tree you should ensure that whatever user is entering in the FORM is proper and as per the expected value.
You can visit www.owasp.org to know more about how to avoid XSS attack.The site provides you possible cheat sheets to ensure your HTML tree is free from any XSS attack.
ASP.NET HttpUtility.Htmlencode() makes it for you.
But if you want to block dangerous scripts, first DO NOT insert it to your database. First, clean the HTML Text before inserting to database.
I found a class that do it for you: http://eksith.wordpress.com/2012/02/13/antixss-4-2-breaks-everything/
It works fine and you can add new tags and attributes to custom whitelist of the Sanitizer.
Note: Microsoft Sanitizer and Anti-XSS Library was not useful for me. May be you can also try them.

Use of Mechanize

I want to get response from websites that take a simple input, which is also reflected in the parameter of the url. Is it better to simply get the result by using conventional methods, for example OpenURI.open_uri(...) with some parameter set, or it is better to use mechanize, extract the form, and get the result through submit?
The mechanize page gives an example of extracting a form and submitting it to get the search result from Google search. However, this much can be done simply as OpenURI.open_uri("http://www.google.com/search?q=...").read. Is there any reason I should try to use one way or the other?
There are lots of sites where it turns out to be easiest to use mechanize. If you need to log in, and set a cookie before accessing the data, then mechanize is a simple way of doing this. Similarly, if there are lots of hidden fields that need to be matched (such as CSRF token), then fetching the page using mechanize then submitting it with the data filled out is often a more foolproof method that crafting the URL yourself.
If it is a simple URI, like google's search pages, then manually constructing it may be simpler.

Resources