Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Closed 8 years ago.
Improve this question
I'm experiencing XSS in a legacy site.
The Parameter vulnerable to this attack is: ldapSearch.jsp?f=
After adding the XSS payload to check whether it is vulnerable or not: "><img src=x onerror=prompt(0);>
The URL will look like:
http://idenservices.hostname.com/axrac/ldapSearch.jsp?f=%22%3E%3Cimg%20src=x%20onerror=prompt%280%29;%3E
The XSS pop up comes up and proves that the site is vulnerable to XSS attacks.
Snippet from JSP
<tr>
<td class="required">*</td>
<td class="label"><h3>Enter User's Core ID</h3></td>
<td class="field"><input type="text" name="userid" size="25" maxlength="20" onkeypress="return isAlphaNumberKey(event)" onblur="return LowerCaseAlphanumeric(document.getElementById('userid'));">Lookup User</td>
</tr>
Snippet from JS
function userlookup(fieldName, formName)
{
var uri = "/axrac/ldapSearch.jsp?f=" + formName + "&f1=" + fieldName;
msgWindow=open(uri,'lookup','width=600,height=400,resizable=yes,toolbar=no,menubar=no,location=no,directories=no,status=no');
msgWindow.focus();
}
Adding ldapsearch.jsp
<%
String backFieldName = request.getParameter("f1");
String backFormName = request.getParameter("f");
%>
<table width="100%" cellpadding="0" cellspacing="0" border="0" class="PageSubHeader1">
<tr class="bg">
<td class="flag"> </td>
<td class="banner" width="100%"><h2>LDAP Search</h2></td>
</tr>
</table>
<table cellpadding="0" cellspacing="0" border="0" class="PageIntroduction">
<tr>
<td class="copy">
<br/>When searching for a person by their name, please provide 2 or more letters for their first and last name.
If less than 2 letters are entered for both fields or if one field is empty, the search may not return any results.
</td>
</tr>
</table>
<p class="HorizontalRule"></p>
<form action='ldapSearchResults.jsp' method='post'>
<input type="HIDDEN" name="backFieldName" value="<%=backFieldName%>">
<input type="HIDDEN" name="backFormName" value="<%=backFormName%>">
<table width="100%" cellspacing="0" border="0" class="Forms">
<tr>
<td class="required">*</td>
<td class="instruction" colspan="2"><h2>Indicates required field</h3></td>
</tr>
<tr>
<td class="required">*</td>
<td class="label"><h3>First Name</h3></td>
<td class="field"><input type=text name='firstName' size="20"></td>
</tr>
<tr>
<td class="required">*</td>
<td class="label"><h3>Last Name</h3></td>
<td class="field"><input type=text name='lastName' size="20"></td>
</tr>
<tr>
<td> </td>
<td class="label" colspan="2"><h3>- Or -</h3></td>
</tr>
<tr>
<td class="required">*</td>
<td class="label"><h3>Core ID</h3></td>
<td class="field"><input type=text name='coreID' size="20"></td>
</tr>
</table>
<p class="HorizontalRule"></p>
<table width="100%" cellpadding="0" cellspacing="0" border="0" class="Buttons">
<tr>
<td><input type="submit" class="systemButton1" value="Submit Form" id="Submit"> <input type="reset" class="systemButton2" value="Reset Form" id="Reset"></td>
</tr>
</table>
</form>
</body>
</html>
I do not see any issue with JavaScript, but still it is prone to XSS attack.Need help in understanding why it is vulnerable and what should I do to fix this.
Need help in understanding why it is vulnerable
You take user input here:
String backFieldName = request.getParameter("f1");
Then your output it, without modification, here:
<input type="HIDDEN" name="backFieldName" value="<%=backFieldName%>">
(You do the same with other data too, but we'll use this for the example).
This allows anyone to craft a link that contains a "> followed by any HTML (including <script> elements or a Payment Required form) they want, send it to someone, and then have their HTML appear on your site when that person follows the link.
and what should I do to fix this.
Either convert any characters with special meaning in HTML to their respective entities, or run the data through a whitelist to filter out potentially bad input.
Further reading: OWASP XSS Prevention Cheat Sheet
Related
I have the following code snippet and I'm looking for a better way to parse out the last name.
<TABLE BORDER="0" class="info" width="560">
<TR>
<TD VALIGN="top"> <B>First Name<B></FONT> </TD>
<TD VALIGN="top"> <INPUT TYPE="text" NAME="First_Name" SIZE="16" value="Ashley"> </TD>
<TD VALIGN="top"> <B>Last Name<B></FONT> </TD>
<TD VALIGN="top"> <INPUT TYPE="text" NAME="Last_Name" SIZE="16" value="Smith"> </TD>
</TR>
<tr>
<TD VALIGN="top" colspan="2"> <B>Company Name (if any):<B></FONT> </TD>
<TD VALIGN="top" colspan="2"> <INPUT TYPE="text" NAME="Company_Name" SIZE="24" value=""> </TD>
</tr>
<TR>
<TD VALIGN="top" colspan=2> <B>Address<B></FONT> </TD>
<TD VALIGN="top" colspan=2> <INPUT TYPE="text" NAME="Address" SIZE="24" value="123 Any Street Circle "> </TD>
</TR>
<tr>
<TD VALIGN="top" colspan=2> <B>City <B></FONT> <INPUT type="text" id="City" name="City" SIZE="14" value="Shady Town"> </TD>
<TD colspan="2" VALIGN="top"> <B>State<B></FONT> <INPUT type="text" id=State name=State SIZE="4" value="Tx"> <B>Zip<B></FONT> <INPUT type="text" id=Zip name=Zip SIZE="8
I have the following but I'm pretty sure I can do this without having to do the replace. What I'm trying to do below is find the starting point, finding the end point, and then taking the text in between. Then once I have that, remove the "matched" text leaving me with the value of the input field.
<cfset LastName_start = findNoCase('<INPUT TYPE="text" NAME="Last_Name" SIZE="16" value="', theString, 0)>
#lastName_start#
<cfset LastName_end = findNoCase('">', theString, 0)> #lastName_end#
<cfset lastNameValue = '#Mid(theString,LastName_start,LastName_end)#'>
#lastNameValue#
<cfset lastNameValue = replace(lastNameValue, '<INPUT TYPE="text" NAME="Last_Name" SIZE="16" value="', '')>
<cfset lastNameValue = replace(lastNameValue, '">', '')>
<cfset lastNameValue = listFirst(lastNameValue,'"')>
<cfdump var="#lastNameValue#" label="lastNameValue">
Any tips on how I can clean this up using ColdFusion? This is an ethical exercise.
And yes, I did try to format this.
I second Scott Stroz's suggestion about trying JSoup. It usually works well, and is very simple to use.
Download the JSoup jar and load it in your Application.cfc.
component {
this.name = "MyApplication";
this.javaSettings = { loadPaths = ["C:\path\to\jsoup-1.12.1.jar"] };
// ... more application settings
}
Create an instance of JSoup, parse the HTML string and use val() to grab the text of the first matching element. It returns an empty string if the element wasn't found.
You can find a bunch of other helpful examples in the JSoup Cookbook.
<cfscript>
yourHTMLString = '<TABLE BORDER="0" class="info" ......';
// parse html
jsoup = createObject("java", "org.jsoup.Jsoup");
root = jsoup.parse( yourHTMLString );
// get the first matching value ...
lastName = root.select("input[name='Last_Name']").val();
firstName = root.select("input[name='First_Name']").val();
companyName = root.select("input[name='Company_Name']").val();
cityName = root.select("input[name='City']").val();
stateName = root.select("input[name='State']").val();
address = root.select("input[name='Address']").val();
</cfscript>
Results:
Suppose we have a Map object which has State as it's Key and List of districts in a State as it's Value. This how I am iterating over this kind of Map object.but each district is NOT getting printed on a new row. Can someone help ???
<div th:if="${not #lists.isEmpty(stateToDistrictMap)}">
<table>
<tr><td>State</td><td>Districts</td></tr>
<th:block th:each="state : ${stateToDistrictMap}">
<tr>
<td th:text="${state.key}">State</td>
<th:block th:each="district : ${state.value}">
<td th:text="${district.name}">District</td>
<td th:text="${district.code}">District</td>
<td th:text="${district.erstyear}">District</td>
<td th:text="${district.info}">District</td>
</th:block>
</tr>
</th:block>
</table>
</div>
Can someone help ???
You probably want something like:
<div th:if="${not #lists.isEmpty(stateToDistrictMap)}">
<table>
<tr>
<td>State</td>
<td>Districts</td>
</tr>
<th:block th:each="state: ${stateToDistrictMap}">
<tr th:each="district, i: ${state.value}">
<td th:text="${i.first ? state.key : ' '}" />
<td th:text="${district.name}" />
<td th:text="${district.code}" />
<td th:text="${district.erstyear}" />
<td th:text="${district.info}" />
</tr>
</th:block>
</table>
</div>
I am totally new to the selenium. Please accept apologies for asking daft or silly question.
I have below on the website. What I am interested is that how can I get the data-selectdate value using selenium + python . Once I have the data-selectdate value, I would like to compare this against the the date I am interested in.
You help is deeply appreciated.
Note: I am not using Beautiful soup or anything.
Cheers
<table role="grid" tabindex="0" summary="October 2018">
<thead>
<tr>
<th role="columnheader" id="dayMonday"><abbr title="Monday">Mon</abbr></th>
<th role="columnheader" id="dayTuesday"><abbr title="Tuesday">Tue</abbr></th>
<th role="columnheader" id="dayWednesday"><abbr title="Wednesday">Wed</abbr></th>
<th role="columnheader" id="dayThursday"><abbr title="Thursday">Thur</abbr></th>
<th role="columnheader" id="dayFriday"><abbr title="Friday">Fri</abbr></th>
<th role="columnheader" id="daySaturday"><abbr title="Saturday">Sat</abbr></th>
</tr>
</thead>
<tbody>
<tr>
<td role="gridcell" headers="dayMonday">
<a data-selectdate="2018-10-22T00:00:00+01:00" data-selected="false" id="day22"
class="day-appointments-available">22</a>
</td>
<td role="gridcell" headers="dayTuesday">
<a data-selectdate="2018-10-23T00:00:00+01:00" data-selected="false" id="day23"
class="day-appointments-available">23</a>
</td>
<td role="gridcell" headers="dayWednesday">
<a data-selectdate="2018-10-24T00:00:00+01:00" data-selected="false" id="day24"
class="day-appointments-available">24</a>
</td>
<td role="gridcell" headers="dayThursday">
<a data-selectdate="2018-10-25T00:00:00+01:00" data-selected="false" id="day25"
class="day-appointments-available">25</a>
</td>
<td role="gridcell" headers="dayFriday">
<a data-selectdate="2018-10-26T00:00:00+01:00" data-selected="false" id="day26"
class="day-appointments-available">26</a>
</td>
<td role="gridcell" headers="daySaturday">
<a data-selectdate="2018-10-27T00:00:00+01:00" data-selected="false" id="day27"
class="day-appointments-available">27</a>
</td>
</tr>
</tbody>
</table>
To get the values of the attribute data-selectdate you can use the following solution:
elements = driver.find_elements_by_css_selector("table[summary='October 2018'] tbody td[role='gridcell'][headers^='day']>a")
for element in elements:
print(element.get_attribute("data-selectdate"))
You can use get_attribute api of element class to read attribute value of element.
css_locator = "table tr:nth-child(1) > td[headers='dayMonday'] > a"
ele = driver.find_element_by_css_selector(css_locator)
selectdate = ele.get_attribute('data-selectdate')
Im trying to make a typo3 extension and i want to show all relations(in this case cities) from region. I connected them in them in the kickstarter like this:
i tried to print the cities in the regions single view doing this:
<table class="tx-collection-plan" >
<tr>
<td>
<f:translate key="tx_collectionplan_domain_model_region.name" />
</td>
<td>
{region.name}
</td>
</tr>
<tr>
<td>
<f:translate key="tx_collectionplan_domain_model_region.cities" />
</td>
<td>
<ul>
<f:for each="{region.cities)" as="city">
<li>{city.name}</li>
</f:for>
</ul>
</td>
</tr>
</table>
But i keep getting this error:
Oops, an error occurred!
The argument "each" was registered with type "array", but is of type "string" in view helper "TYPO3\CMS\Fluid\ViewHelpers\ForViewHelper"
is there another solution to show all subparts of a region (with links that can be klicked -> like the list view of cities itself)?
EDIT: when i remove the for loop and just print city.name, i only get
the dot from li .... but nothing else
I found the solution:
all i need is
<table class="tx-collection-plan" >
<tr>
<td>
<f:translate key="tx_collectionplan_domain_model_region.name" />
</td>
<td>
{region.name}
</td>
<td>
<f:for each="{region.cities}" as="city">
{city.name}
</f:for>
</td>
</tr>
</table>
the <f:translate> was unnecessary
I got a coldfusion query where the result is grouped on country names. With a click on this one, I try to open or close the list under the country. But i cannot work correctly with this siblings and this parents. The result is, if i click on a country name, the fourth one, for example, it close all childrens, and the three country name which are before too.
Can someone help me to choose the right selectors ?
Thank you in advance ,
Michel
The code:
<script type="text/javascript" language="javascript">
$(document).ready(function(){
var toggleMinus = '<cfoutput>#variables.strWebAddress#</cfoutput>/images/bullet_toggle_minus.png';
var togglePlus = '<cfoutput>#variables.strWebAddress#</cfoutput>/images/bullet_toggle_plus.png';
var $subHead = $('table#categorylist tbody th:first-child');
$subHead.prepend('<img src="' +toggleMinus+ '" alt="collapse this section" /> ');
$('img', $subHead).addClass('clickable').click(function(){
var toggleSrc = $(this).attr('src');
if(toggleSrc == toggleMinus){
$(this).attr('src',togglePlus).parents('.country').siblings().fadeOut('fast');
}else{
$(this).attr('src',toggleMinus).parents('.country').siblings().fadeIn('fast');
}
});
});
</script>
<table width="95%" border="0" cellspacing="2" cellpadding="2" align="center id="categorylist">
<thead>
<tr>
<th class="text3" width="15%">
<cfmodule template="../custom_tags/get_message.cfm" keyName="L_ACTOR_CODENUMBER">
</th>
<th class="text3" width="15%">
<cfmodule template="../custom_tags/get_message.cfm" keyName="L_ACTOR_CODE">
</th>
<th class="text3" width="55%">
<cfmodule template="../custom_tags/get_message.cfm" keyName="L_ACTOR_NAME">
</th>
<th class="text3" width="15%">
<cfmodule template="../custom_tags/get_message.cfm" keyName="L_ACTIVE">
</th>
</tr>
</thead>
<tbody id="content">
<cfoutput query="qryCategoryUrl" group="country_name" groupcasesensitive="false">
<tr class="country">
<th style="font-weight:bold; text-align:left;" colspan="4">#country_name#</th>
</tr>
<cfoutput>
<tr>
<td valign="top" class="text3">#Replace(ACTOR_CODENUMBER, Chr(13) & Chr(10), "<br>", "ALL")# </td>
<td valign="top" class="text3">#Replace(ACTOR_CODE, Chr(13) & Chr(10), "<br>", "ALL")# </td>
<td valign="top" class="text3">#Replace(ACTOR_NAME, Chr(13) & Chr(10), "<br>", "ALL")# </td>
<td valign="top" class="text3"><cfmodule template="../custom_tags//get_message.cfm" keyName="#ACTIVE_display(qryCategoryUrl.ACTIVE)#"></td>
</tr>
</cfoutput>
</cfoutput>
</tbody>
</table>
Instead of:
.parents('.country').siblings().fadeOut('fast');
Try this:
.closest('.country').nextUntil('.country').fadeOut('fast');
And of course, apply the same change to the .fadeIn(). You might also look into .fadeToggle()docs.
Here's a (reduced) example: http://jsfiddle.net/redler/5sqJz/. While it doesn't affect the example, presumably you would be setting the initial state of those detail rows as hidden.
woah all that cfmodule usage, cfmodule can be a memory hog.
Although what I always recommend is that people try their pages in whatever browser, and use the SelectorGadget bookmarklet at http://www.selectorgadget.com/
This makes it easier to test and check the correct selector, for your app needs.