I'm working on an application with Struts 1 and JSP. I have to write XSS protection. I have inputs like this one :
<input id="name" name="name" class="someClass" type="text"
value="<bean:write name="personForm" property="name"/>">
I read that for protection XSS attack i have to add attribute filter in bean:write and filter should be true. So my code looks like that now
<input id="name" name="name" class="someClass" type="text"
value="<bean:write name="personForm" property="name" filter="true"/>">
But still I'm able to submit scripts. Do you know why this might happen.
bean:write is only for rendering purposes.The value passed to the server side is not get filtered.
Related
How can I bypass the XSS filter and pop an alert on this page:
http://leettime.net/xsslab1/stage--08.php
The script seem to filter single-quote (') on the server-side making it impossible for me to inject into the value field.
<input type="text" name="name" value=''></input>
This page is part of a XSS test series, so I am sure that it is possible to pop an alert somehow but I just don't know how.
Enter a name and click submit. The form is submitted through a GET request so you can see the two parameters in the URL. Both are reflected in the HTML response.
name=spongebob&submit=
<font size=3>Enter Your Name here : <input type="text" name="name" value='spongebob'></input>
<input type="submit" name="submit" value="">
Instead of the name parameter focus on submit. It is enclosed in double quotes which aren't filtered. Because the character > is removed it is not possible to close the tag so injection must occur inside it the tag. > is stripped away:
name=spongebob&submit=%22%3E%3Cscript%3Ealert(document.URL)%3C/script%3E
<input type="submit" name="submit" value=""<scriptalert(document.URL)</script">
It's possible to run javascript automatically by combining onfocus and autofocus.
name=spongebob&submit=%22%20autofocus%20onfocus=%22alert(document.URL)
<input type="submit" name="submit" value="" autofocus onfocus="(document.URL)">
This is a working XSS that will run automatically in Firefox but not in Chrome because Chrome's XSS auditor will detect it is a reflected XSS.
Chrome XSS auditor reports that 'Token contains a reflecte XSS vector'
So let's use server side filtering of '>' to our advantage so Chrome can't detect that the submit parameter is reflected to the HTML.
name=spongebob&submit="%20auto>focus%20onf>ocus="alert(doc>ument.URL)
Chrome XSS auditor bypassed using because of server side filtering
I was mistaken. There is additional form field that can be injected to complete the task.
We have website developers redesigning the whole site in Django, and these are questions from our website developers I don't have any real knowledge of how to answer, so I thought someone here might be able to help.
We ran into a few problems with the web to lead and having it map to Salesforce which I HOPE we resolved.
Here's the code snippet:
<!-- ---------------------------------------------------------------------- -->
<!-- NOTE: Please add the following <META> element to your page <HEAD>. -->
<!-- If necessary, please modify the charset parameter to specify the -->
<!-- character set of your HTML page. -->
<!-- ---------------------------------------------------------------------- -->
<META HTTP-EQUIV="Content-type" CONTENT="text/html; charset=UTF-8">
<!-- ---------------------------------------------------------------------- -->
<!-- NOTE: Please add the following <FORM> element to your page. -->
<!-- ---------------------------------------------------------------------- -->
<form action="https://www.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8" method="POST">
<input type=hidden name="oid" value="SFDCidhere">
<input type=hidden name="retURL" value="http://">
<!-- ---------------------------------------------------------------------- -->
<!-- NOTE: These fields are optional debugging elements. Please uncomment -->
<!-- these lines if you wish to test in debug mode. -->
<!-- <input type="hidden" name="debug" value=1> -->
<!-- <input type="hidden" name="debugEmail" -->
<!-- value="emailaddresshere"> -->
<!-- ---------------------------------------------------------------------- -->
<label for="first_name">First Name</label><input id="first_name" maxlength="40" name="first_name" size="20" type="text" /><br>
<label for="last_name">Last Name</label><input id="last_name" maxlength="80" name="last_name" size="20" type="text" /><br>
<label for="email">Email</label><input id="email" maxlength="80" name="email" size="20" type="text" /><br>
<label for="company">Company</label><input id="company" maxlength="40" name="company" size="20" type="text" /><br>
<label for="phone">Phone</label><input id="phone" maxlength="40" name="phone" size="20" type="text" /><br>
Subject:<textarea id="00N1600000EgFuw" name="00N1600000EgFuw" rows="3" type="text" wrap="soft"></textarea><br>
Contact me:<input id="00N1600000EvgRY" name="00N1600000EvgRY" type="checkbox" value="1" /><br>
newsletter:<input id="00N1600000EvgRd" name="00N1600000EvgRd" type="checkbox" value="1" /><br>
<input type="submit" name="submit">
</form>
That's what the web-to-lead from SFDC generates, and seems to work now.
However they have 2 questions I am not certain about and would love assistance with:
1) The specs for the new site require that the return page be the one the form was sent from (I.e., no redirection; we’re intending to do the equivalent of a “thanks” page as a pop-up onClick() — how is that accomplished through the API? I’d EXPECT that sending an empty retURL value should do it, but we just get back a blank page with a salesforce.com URL;
2) is it possible to customize the “name” parameter for the two checkbox fields (if not then we have to hack the entire form in the Django template without making it possible for Django to render the form natively since you can’t have a model form field name start with a digit…). This isn’t THAT problematic, but I’d like to know for future reference.
If anyone has any insight, I'd love to hear it and pass it along to them!
Many thanks.
Not sure your solution.
The common way that you could using the Partner WSDL or Enterprise WSDL to insert,update,upsert ,delete your data
Parnter WSDL:
not custom from your salesforce org, but it could be common way to get your data.
In python your could use this package
https://pypi.python.org/pypi/pyforce/1.4
And reference by this
https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_partner.htm
Enterprise WSDL will show your salesforce org status (including field and object) . But one your objects or fields are changing that it might be error.
So i suggest using api to control the redirect function and the action.
My solution is as follows in an example
from captcha.fields import ReCaptchaField
from django.conf import settings
def set_field_html_name(cls, new_name):
"""
This creates wrapper around the normal widget rendering,
allowing for a custom field name (new_name).
"""
old_render = cls.widget.render
def _widget_render_wrapper(name, value, attrs=None):
return old_render(new_name, value, attrs)
cls.widget.render = _widget_render_wrapper
class WebToLeadForm(forms.Form):
# <keep all fields here>
# example field below
referred_by = forms.CharField(label="Referred By", required=False)
# The reCAPTCHA in this form uses keys from settings.
captcha = ReCaptchaField()
set_field_html_name(referred_by, settings.SF_REFERRED_BY)
settings.py
SF_REFERRED_BY = '00xxxxxxxxxxxx'
I have an input field which looks like
<input class="inputMargin urlInputWidth" type="text" size="40" name="url" ng-model="user.customerId" maxlength="250" ng-pattern="/sftp://.+/" />
It works fine and shows validation as expected. I just wanted to move this pattern to scope of angularjs to get a much neater form. I have tried with this syntax: $scope.sftpValidate="/sftp://.+/"; and ng-pattern="sftpValidate". But this is not validating the pattern at all. i have tried to give as $scope.sftpValidate=/sftp://.+/; and $scope.sftpValidate=sftp://.+;. But these are showing syntax errors. Where am i missing?
Please see JSBin
View:
<input class="inputMargin urlInputWidth" type="text" size="40" name="url" ng-model="user.customerId" maxlength="250" ng-pattern="regex " />
JS
$scope.regex = /sftp://.+/;
JS UPDATED BY sms:
$scope.regex = /sftp:\/\/.+/;
I have a simple form and i want the submit button not to work for the conditions i give in the pattern, but if i leave it blank the submit works. how can i make the pattern not to accept it if it is blank?
<form action="test.php" method="POST">
Enter user name:
<input type="text" name="username" pattern="[A-Za-z0-9]{1,20}">
<input type="submit" value="submit">
</form>
I thought the {1,20} is enought but it seems it's not.
HTML has the required attribute to accomplish this. If you set any input to be required, modern browsers won't let you submit the form if those fields are empty.
<input type="text" name="username" required="required" pattern="[A-Za-z0-9]{1,20}">
To prevent errors from showing on load, you can not use the HTML5 required attribute. You can use JavaScript. For example:
if ( $('#form-password').val() === "" )
{
e.preventDefault();
}
Using HTML Patterns to match at least one:
<input type="text" name="username" pattern=".{1,}">
The following piece of code in my JSP caused a cross site scripting vulnerability on the input tag.
<form name="acctFrm" method="post" action="<%=contextPath%>/form/acctSummary?rpt_nm=FIMM_ACCT_SUMM_RPT">
<table>
<tr>
<td>Account Id:</td>
<td>
<input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="<%=rptBean.getAcctId()%>"/>
<img class="tbl1" src="<%=contextPath%>/img/Submit.gif" border="0" />
</td>
</tr>
</table>
</form>
During Penetration testing they were able to alert some random message to the user by injecting a alert script in the value attribute of the tag as follows
<input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="1"><script>alert(12345)</script>" />
What is the problem here, and what would be the fix.
I was reading through some online references on XSS still I wasnt 100% sure on what could be the issue.
Any help would be greatly appreciated.
Thanks,
Deena
I have used the following solution,
The scriplet in the value attribute is the problem, I replaced it with jstl tag, I read somewhere that jstl tags have inbuild escaping mechanism to avoid xss issues.
<input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="<c:out value=${rptBean.acctId}"/>"/>
This works good for my issue.
Thanks
It seems the penetration testers were able to manipulate their session such that rptBean.getAcctId() would return an arbitrary string. If they could inject quotes and a right bracket, they could "force close" the input tag and insert their own script tag.
It looks like penetration testers got the method to return the string 1"><script>alert(12345)</script>.
This indicates that you need to escape the data when writing to the page. I would suggest taking a look at the answer on escaping HTML in jsp.
Also, remember that code does not have to be "perfectly" formatted for a browser to render it "correctly". Here are some links on how attackers may try evade XSS filters:
http://blog.whitehatsec.com/tag/filter-evasion/
http://ha.ckers.org/xss.html
Always treat user data as "dangerous" and take care when rendering it on a page.
It seems using jstl tag <c:out value=""> in value attribute will cause errors in jstl <form options> tags,
more info
XSS prevention in JSP/Servlet web application
if getAcctId() returned data come from DB you can filter before sending to client. for example check is data should be a number.