Cross Site Scripting with Hidden Inputs - xss

My company gave me the task of resolving all security issues with a particular application. The security tream reported a cross site scripting error. The error lies in the following input field:
<input type="hidden" name="eventId" value="${param.eventId}"/>
The report from security wasn't very detailed, but the say they can make a POST request to the page that has the above tag including the following malicious code:
eventId=%22%3e%3csCrIpT%3ealert(83676)%3c%2fsCrIpT%3e
And that when the page reloads, it will have the following:
<input type="hidden" name="eventId" value=""><sCrIpt>alert(83676)</sCrIpt></value>
I am trying to "be the hacker" and show the vulnerability. But I can't figure out how they manage to get that script in there. I am guessing they include it as a URL parameter in the GET request for the form, but when I try to do it myself I get a 403 error. Does anyone know how the vulnerability can be shown?
I know there is a number of XSS questions on the site, but none seem to hit this topic.

So, I am not sure why, but my original hunch was correct. The script can be put on as a URL parameter. For some reason though, this was not working with our staging site. Only with running the application locally. I am not sure why, but this works (only locally):
http://localhost:8080/myUrl/MyAction.do?eventId=%22%3e%3csCrIpT%3ealert(83676)%3c%2fsCrIpT%3e
Doing that, you see an alert box pop up. I am planning to fix it using JSTL functions.
<%# taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
...
<input type="hidden" name="eventId" value="${fn:escapeXml(param.eventId)}"/>

Install [TamperData][1] add-on in firefox browser which let you edit the data before submitting. Doesn't matter if it's in POST or GET.
By using this hidden fields can be edited.

What you want to do to fix the problem, is to HTMLAttributeEncode the value before putting it inside the value-attribute. See OWASP ESAPI or MS AntiXSS for methods for doing HTML attribute encoding.
Seeing how the attack string is URL encoding, I think you guess about including it as a GET parameter seems reasonable.

I used the OWASP ESAPI API as the legacy jsp's didn't have JSTL available. This is what I used:
<input type="hidden" name="dataValue" value="<%=ESAPI.encoder().encodeForHTMLAttribute(dataValue)%>">
You can also use the API to filter request.Parameter() which I also needed, as in:
String userURL = request.getParameter( "userURL" )
boolean isValidURL = ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false);
if (isValidURL) {
link
}
and:
String name = (String) request.getParameter("name");
name = ESAPI.validator().getValidInput("name ", name , "SafeString", 35, true);

Related

How to not allow browser to store previous values in flask-form StringField?

After submitting my flaskapp form to make a new response, there is appears a 'quick-suggested' form contains previous input values. How can I restrict appearing this? In fact, I don't understand where it comes from and where it's stores so can't make a relevant ask to google. Dont be sarcastic - it was surprisingly for me, that it's disappear when I try to make this image with scissors!
it's all about that
P.S. all happens in google chrome
Your "google term" would be form autocomplete. This is a feature of your browser not flask or any web framework.
You can ask the browser to not autocomplete a form.
<form ... autocomplete="off">
or an individual field
<input type="text" autocomplete="off">
Keep in mind that the browser doesn't have to respect your wishes. Specifically in the case of login fields where browsers will autofill usernames and passwords regardless of autocomplete="off".

Why is the FORM scope showing fewer values than were actually submitted by this AJAX file uploader?

I'm not sure I understand how to phrase my question, but I believe it's specific to ColdFusion's handling of certain AJAX form data, despite my reference to a specific JavaScript plugin.
I'm trying to implement the FilePond uploader on a ColdFusion 2011 server, and I've got it configured well on the frontend (it uploads the files to tmp folder just fine), but my problem is not knowing how to get ColdFusion to process the extra metadata it sends along with it on every upload. This data doesn't look to me like it comes in the same format as plain old hidden input fields.
When I inspect the network request with Dev Tools, it looks different to me than other forms I've processed. There are two "filepond" entries, one a JSON object and the other the binary image. When I < cfdump var="#form.FilePond#">, I only get the tmp uploaded file path, which I can process. But how do I access the JSON in my screenshot containing the "parentid"? Nothing I've tried, like form.FilePond[1], seems to work and throws errors.
Update with output from CF form processing page:
1st line is output of Form.FilePond.
2nd is cfdump of Form.
3rd is cfdump URL.
4th is cfdump of getHttpRequestData()
Update:
Bugs filed for CF2016 (core support ending for CF11 after April 2019)
CF-4204103 -
FORM scope is missing values when same named fields include type=file
CF-4204102 - sameFormFieldAsArray setting doesn't work with enctype="multipart/form-data"
After some testing, I've concluded it's a ColdFusion bug.
Issue:
The issue seems to occur under these conditions
Request is a multipart/form-data POST
Contains multiple fields with the same name
At least 1 of those fields is a file field i.e. type="file"
The first field submitted (within the group) is NOT a file field
Under those conditions, ColdFusion seems to ignore everything before the first file field. (If you check the filepond source ut confirms the metadata field is submitted before any file fields). That's why the metadata value doesn't appear when dumping the FORM scope.
Note, the this.sameFormFieldsAsArray setting has no effect because it doesn't work with multipart/form-data requests.
Test Case
Below is a test case. Notice the results are what you'd expect when the same named field occurs after the first file field?
<cfdump var="#form#" label="Form scope">
<form method="post" enctype="multipart/form-data">
<br>First:
<input type="file" name="fileFirst"><br>
<input type="text" name="fileFirst" value="Lions"><br>
<br>Last:
<input type="text" name="fileLast" value="Tigers"><br>
<input type="file" name="fileLast"><br>
<br>Middle:
<input type="text" name="fileMiddle" value="Bears"><br>
<input type="file" name="fileMiddle"><br>
<input type="text" name="fileMiddle" value="Oh My"><br>
<input type="submit">
</form>
Workaround
This blog provides a workaround using an undocumented feature of the FORM scope. Using form.getPartsArray() provides access to both "filePond" fields allowing you to extract the value of the dropped field. Not ideal, but does work until the issue is fixed.
Keep in mind this is an undocumented feature, so be sure to isolate the code for easier alterations in case Adobe alters or removes that function in the future (which they've done before, so fair warning!).
<cfscript>
// dump raw form fields
for (part in form.getPartsArray()) {
writeDump({ fieldName = part.getName()
, isFile = part.isFile()
, fieldValue = (part.isFile() ? part.getFileName() : part.getStringValue())
}
);
}
</cfscript>

HTML5 number input field step attribute broken in Internet Explorer 10 and Internet Explorer 11

It appears some of my website's users are experiencing issues when attempting to insert values into input fields of type number with the step attribute set.
I am using Django 1.6 to render the forms to HTML.
The number fields map to an underlying DecimalField model field with max_digits=25 and decimal_places=5
This results in the following example html being rendered for the number field:
<input type="number" value="" step="0.00001" name="quantity" id="id_quantity">
The step attribute I know is not yet supported in FireFox but is in Opera, Chrome, Safari and IE10+
Everything works fine in all browsers except IE10 and IE11. In the above example the maximum range that can be entered is -227 to 227 in IE10 and IE11. If I try to enter a lower or greater value (respectively) than this I get a 'You must enter a valid value' error and cannot submit the form.
According to http://www.w3schools.com/tags/att_input_step.asp
The step attribute specifies the legal number intervals for an element.
Example: if step="3", legal numbers could be -3, 0, 3, 6, etc.
So in my user's example they were attempting to enter 20000 as the value which failed in IE10 and IE11. If my calculations are correct 20000 falls correctly into an interval of 0.00001
A solution for me could be to remove the step attribute from all my forms that use a number field, either via the django forms or using javascript, but I think this would be a very messy solution and one that goes against the grain of HTML5.
Has anyone else encountered a similar problem, have I done something wrong or is this a bug in IE10 and IE11?
Any thoughts, comments or answers welcome. In the meantime I will be forced into providing my usual solution to affected users by suggesting they use a browser that works.
You're not alone, IE is pretty buggy on this.
I'm not sure about IE10, I can only test IE11 right now, and it kinda treats number fields as date fields, which it actually shouldn't support at all, still when passing for example 20000 it says "Insert a valid date" (originally "Geben Sie ein gültiges Datum ein").
And indeed, when entering something like 01.01.2000 or 01-01-2000 it passes validation, though even 20000.01.123456789 passes, just like 90000 or 0.foobar, so I guess the validation is just totally messed up.
So for the time being you'll probably have to use some kind of polyfill in case you want to please IE users.
IE10's HTML5 form validation is really buggy in this case, so you might want to consider disabling HTML5 form validation for this form.
You can do this by adding a novalidate attribute to the form tag. For example, you might want to do something like this:
<form method='POST' action='.' novalidate='novalidate'>
<input type="number" value="" step="0.00001" name="quantity" id="id_quantity">
</form>
Setting novalidate will tell the browser to not try to be useful, which should work out your issue. However, please be aware that this will disable the HTML5 validation for the whole form for all browsers. If you need to keep this for some browsers while removing it from IE, you'll have to add the novalidate attribute via Javascript on page load after checking the browser user agent. This user agent can be spoofed however so it's not an ideal solution.
I ran into the same issue and adding step="any" at the field level fixed the issue for me.
It looks like IE10+ need a MIN and MAX value in order to work properly. If you defines these values it will work just fine with the 10000 value:
<input type="number" value="" step="0.00001" min="-100000" max="100000" name="quantity" id="id_quantity" />
Seems that step attributes for numer input just implemented as for Range Input which needs min, max and step values.
If really you are not able to define a min and max value, you must use Javascript to do that.

User redirect with POST in iframe

I am building one of my first MVC 4 applications and I need some help with redirecting users.
I have a windows form application where I use a AxSHDocVw.AxWebBrowser to redirect the user to a specific URL , a SOAP web service to be precise, aswell as sending HTTP POST and HEADER data aswell.
This is done like so:
oHeaders = "Content-Type: application/x-www-form-urlencoded" + "\n" + "\r";
sPostData = "ExchangeSessionID=" + SessionID;
oPostData = ASCIIEncoding.ASCII.GetBytes(sPostData);
axWebBrowser2.Navigate2(ref oURL, ref o, ref o, ref oPostData, ref oHeaders);
I am looking to replicate this functionality in my MVC application, but am unsure of the how this can be done.
I was hoping to have this within an iframe, but can't find a way of sending the POST and HEADER data from this. This is what I have been trying so far:
Controller
ViewBag.URL = TempData["URL"];
ViewBag.SessionID = TempData["SessionID"];
ViewBag.FullURL = TempData["URL"] + "?ExchangeSessionID=" + TempData["SessionID"];
return View();
View
<iframe src="#ViewBag.FullURL" width="100%" height="500px"></iframe>
Basically I was trying to append the data to the end of the URL hoping this would work for the HTTP POST part. This is what I ended up with:
https://www.myurl.aspx?ExchangeSessionID=87689797
The user is being directed to the page, but the web service is giving me an error ( which tells me it is now receiving the POST data).
Can some please help me to try and fix this, or even give me advice on how to go about this another way. Like I said, I'm fairly new to MVC applications and I'm not entirely sure what I'm tryin to do is even possible.
Any help is appreciated. Thanks
I've decided to answer this question myself incase anybody is looking to do something similar in the future.
The first step was to create my iframe:
<iframe name="myframe" src="" width="100%" height="700px"></iframe>
Next I want to create a form with a button which, when pressed, will post the data to the url while targeting the iFrame (Note the target attribute of the form):
<form action="#ViewBag.URL" method="post" target="myframe">
<input type="hidden" name="ExchangeSessionID" value="#ViewBag.SessionID" />
<input type="submit" value="Submit" />
</form>
So what happens is, when the button is pressed, the form posts the ExchangeSessionID to the target URL and then the page response is displayed inside the iFrame.

Prevent XSS in HTML forms from third party site

The basics:
I have a contact form that uses
php to validate the
forms. (in addition to client side) This could be done in any server side language though.
The server side only allows
A-z 0-9 for certain fields (it is
acceptable to validate this field to
English only with that extremely limited range)
If the form contains errors, I repopulate the fields so the user doesn't have to retype before submitting again
I am willing to not let other sites post to my form, even if legitimate use could be found there.
I can easily make a form on a different web site that posts a dirty word to a field. Certain dirty words are perfectly legit according to the validation rules, but my employeer obviously wouldn't like that to happen.
I am under the impression that dedicated hackers can affect cookies, php sessions and of course hidden fields are easy to spoof along with referrers and such. How can I block third party sites from posting to my page?
Please feel free to help me Google for this too. My search terms are weak and bringing up methods I know will fail.
What if somebody submits "d03boy eats cats" via a form on their site and gets people to click a link that submits it to my form? (Admit it is possible, and my company cannot accept any risk) Then when a user clicks the link they see inside the "name" field "d03boy eats cats" and gets super offended and contacts PETA about our site's content. We just cannot explain to the user what happened. True, nothing happened, but upsetting a single users isn't acceptable to my employer.
Our current solution is to not report any user input, which in my opinion is a big usability issue.
This sounds like you need a moderation system in place for user generated content, not a technical solution. Obviously you can check the referrer field, content scrub and attempt to filter the profane, but enumerating badness never works. (It can be an acceptable "first pass", but humans are infinitely resourceful in avoiding such filters).
Put the user submitted content into a queue and have moderators review and approve content. To lighten the load, you can set trusted users to "pre approved", but you have said your client can't accept any risk.
Frankly, I find that impossible: even with moderators there is the risk that a moderator will subvert your system. If that is actually true (that they have zero risk tolerance) then I suggest they not accept any user input, don't trust moderators and in fact eliminate the site itself (because an insider could go rogue and put something improper up). Clearly every act has risk; you need to find out how much they can accept, such as a moderator based approval queue.
I'm not sure I entirely understand your question but I'll do my best to give you a basic answer.
Cross Site Scripting (XSS) happens generally when someone else puts in HTML into your forms. Your website allows this to happen because it isn't escaping the HTML properly. If you use PHP you probably want to make use of the htmlentities($str, ENT_QUOTES) function.
htmlentities($str, ENT_QUOTES)
PHP htmlentities
My attempt
...
<?
$form_token = "";
$token = "";
$encoded_token = "";
$salt = "ThiséèÞ....$ÖyiìeéèÞ"; //it is 70 characters long
...
...
$blnGoodToken = false;
...
...
//Check for the encoded token
session_start();
$encoded_token = GetSuper('POST', 'TOKEN');
if (isset($_SESSION['TOKEN'])) {
if (sha1($_SESSION['TOKEN'] + $salt) === $encoded_token) {
$blnGoodToken = true;
//echo "Good Token";
}
else {
//echo "Bad Token";
$blnGoodToken = false;
unset($_SESSION);
session_unset();
session_destroy();
session_start();
}
}
else {
$blnDoit = false;
echo "No Token, possible no session";
}
$token = uniqid(rand(), TRUE);
$_SESSION['TOKEN'] = $token;
$form_token = sha1($token + $salt);
...
...
?>
...
...
<form action="request.php?doit=y" method="post">
<input type="text" name="TOKEN" id="TOKEN" value="<?=$form_token?>" />
<!--
form stuff
-->
<input type="reset" value="Clear" />
<input type="submit" value="Submit" />
</form>
Since I don't use sessions anywhere else on the site, I don't think we are exposed much to session hijacking. The token changes each load, and to get the token to match the session you would have to know
I am using SHA. An easy guess to
make on my php code
I keep it in the session. I suppose
the session is gettable
My salt. I think this is a good
secret. If they know my salt they already
owned my server