We ve been using WYSIWYG Editor for more than i can remember. Easily pasting a javascript in this kind of editor make it a sitting duck for XSS attacks.
Any one know any WYSIWYG Editor than integrated with XSS preventions?
Solutions and suggestions are welcome.
A WYSIWYG editor is all client-side (unless it's packaged along with some server component, which would be platform-specific). You cannot protect against user attacks from the client-side; users can always skip the editor and post their XSS right in the HTTP request.
You never want to throw away information at the input or storage phases. Everything you do to prevent XSS should happen when you write user input back out to the screen. The simplest way is to simply encode everything. Obviously on a site like Stackoverflow, where some user input needs to be written eventually as markup, it needs to be scrubbed first.
If we know some more about what platform you're using, we could probably recommend some well-tested, proven libraries that do what you need.
Related
I was wondering why alert() is quite often used to demonstrate XSS vulnerabilities. If I am not mistaken XSS means that the attacker should be able to establish two-way communication between infected client and attacker's server. It is just that this is a quite visual way to demonstrate that the attack is possible (as it uses the same characters as the actual payload would have) or is there something more? I tried to look it up online but found nothing...
You're overthinking it. it's demonstrated with an alert because when the alert is shown, it means the attacker was able to insert javascript code into your page and that code was executed as if you had put it there yourself. ... so from the perspective of the client (visitor) this code is coming from you, and they don't know anything about the attacker - which is what the attacker wants.
It's just like a "hello world" program but from the XSS world. It's easy to check, minimalistic, checking that you can at least execute some javascript function (alert). While you're looking for an XSS, the payload itself is not as important as the "can I actually inject some javascript here?" question.
Basically, it's a 2 steps approach.
Find a vulnerable parameter. (using alert or any other simple function)
Now let's have some fun with it.
If I am not mistaken XSS means that the attacker should be able to establish two-way communication between infected client and attacker's server.
Not always. Sometimes, 1-way communication is enough:
Just send data to your server, no response required. It's very useful for the stored XSS case (when let's say you can put random javascript code into a comment visible to other users)
You can inject some HTML asking the user to open another website and do whatever you want. (XSS + social engineering)
To summarise: alert is a simple function sufficient to check if you can inject javascript, like "hello world" to check that your setup is working. If you're successful -> it's time to make it more complicated.
Edit: in a real attack, people usually check more options, because the "alert" keyword is blocked by most security filters. It doesn't mean that the XSS is not there ;) But "alert" is a very convenient example for tutorials, so you'll see it everywhere.
I was wondering why alert() is quite often used to demonstrate XSS vulnerabilities.
Simply because the alert() method is the best option to show people that you are able to insert JS code into the page.
If I am not mistaken XSS means that the attacker should be able to establish two-way communication between infected client and attacker's server.
Kinda. XSS just means that the attacker is able to inject malicious JS into the page.
It is just that this is a quite visual way to demonstrate that the attack is possible (as it uses the same characters as the actual payload would have) or is there something more?
It's just the visual way.
However JS can be sandboxed in iframes etc. so the alert('XSS') is not the best method to show that you are able to inject malicious code.
The best way is to use some information from the page itself. For example
alert(`XSS attack on ${window.location.host}'s page: "${document.title}"`)
is a lot better way to demonstrate. It shows that you can have access to window properties (redirect) and document (modify) as well.
On this page it would display:
XSS attack on stackoverflow.com's page: "XSS, why is alert(XSS) used to find/demonstrate xss vulnerabilities? - Stack Overflow"
I'm using TinyMCE as my online editor but I'm concerned of XSS attacks etc..
I though of replacing all < and >, but that doesn't seem to be an option with this kind of editor and I'm not sure removing script tags is enough too (what about onclick, onmouseover and other events).
What should be my approach to avoid such attacks?
You have to choose, security or convenience. The WYSIWYG editor like TinyMCE is very convenient. It allows non-experts to use a web interface to update some content with or without html tags. Its the lazy way to allow someone non-technical to update html, and it comes with all kinds of hazards.
When you give users access to TinyMCE interface to your database it is absolutely equal to giving them a database client to update data directly in your database.
ALso, note that today there is a great deal of Cross-Site-Scripting that is not malicious, that is in fact facebook, linkedin, youtube, etc integration that requires script references to third party domains etc.
So if you harden the TinyMCE tool so that XSS can not be added it will be useless to a serious web developer in many scenarios.
But if you need to make an add/edit/update/delete editor XSS proof you need to validate and sanitize all inputs and your best choice is to roll your own.
In theory you can eliminate XSS like this, but in practice its difficult. There always seems to be something that you've overlooked.
The best way I've found is to use a regular expression to only permit use of certain tags that you specify ( <strong>, <em> etc) and remove all others. You also need to look for attempts to circumvent your protection by users encoding characters.
My website http://www.imayne.com seems to have this issue, verified by MacAfee. Can someone show me how to fix this? (Title)
It says this:
General Solution:
When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client.
Ensure that parameters and user input are sanitized by doing the following:
Remove < input and replace with "<";
Remove > input and replace with ">";
Remove ' input and replace with "&apos";
Remove " input and replace with """;
Remove ) input and replace with ")";
Remove ( input and replace with "(";
I cannot seem to show the actual code. This website is showing something else.
Im not a web dev but I can do a little. Im trying to be PCI compliant.
Let me both answer your question and give you some advice. Preventing XSS properly needs to be done by defining a white-list of acceptable values at the point of user input, not a black-black of disallowed values. This needs to happen first and foremost before you even begin thinking about encoding.
Once you get to encoding, use a library from your chosen framework, don't attempt character substitution yourself. There's more information about this here in OWASP Top 10 for .NET developers part 2: Cross-Site Scripting (XSS) (don't worry about it being .NET orientated, the concepts are consistent across all frameworks).
Now for some friendly advice: get some expert support ASAP. You've got a fundamentally obvious reflective XSS flaw in an e-commerce site and based on your comments on this page, this is not something you want to tackle on your own. The obvious nature of this flaw suggests you've quite likely got more obscure problems in the site as well. By your own admission, "you're a noob here" and you're not going to gain the competence required to sufficiently secure a website such as this overnight.
The type of changes you are describing are often accomplished in several languages via an HTML Encoding function. What is the site written in. If this is an ASP.NET site this article may help:
http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx
In PHP use this function to wrap all text being output:
http://ch2.php.net/manual/en/function.htmlentities.php
Anyplace you see echo(...) or print(...) you can replace it with:
echo(htmlentities( $whateverWasHereOriginally, ENT_COMPAT));
Take a look at the examples section in the middle of the page for other guidance.
Follow those steps exactly, and you're good to go. The main thing is to ensure that you don't treat anything the user submits to you as code (HTML, SQL, Javascript, or otherwise). If you fail to properly clean up the inputs, you run the risk of script injection.
If you want to see a trivial example of this problem in action, search for
<span style="color:red">red</span>
on your site, and you'll see that the echoed search term is red.
In choosing an editor for my wiki-like site, I'm debating whether to allow HTML or a custom alternate markup (maybe like wikipedia/wikimedia's or BBCode).
HTML benefits:
Easy for users to deal with (copying and pasting, learning)
Somewhat future proof
Many more editing tools available, usually WYSIWYG too
Alternate markup benefits:
On the server side I don't have to worry about parsing malicious javascript or styles or HTML that I don't allow
Can be easy to learn
Can be easier to decipher if not HTML-savvy
Am I missing something, what's the best solution?
Depends on your target audience. If they're tech savvy, they probably know HTML, BBCode, etc. If they're not, they probably don't and a simplified markup might be more appropriate. Personally I like markdown for the non-tech savvy. There are editing tools available for both, also libraries available for handling each of them. So really it comes down to which do you want your users to use?
I would stick with wiki markup. You can make it easier by using a WYSIWYG editor like FCKEditor
For HTML, let moderators have control using e.g. Extension:RawMsg
Peroanlly as a user, I'm not a fan of html for things like wiki editing. Most of the time you dont need more than simple features so its too verbose and just makes life harder, and I dont really like using WYSIWYG editors either. I prefer being able to type Markdown or Textile myself directly into the editing field.
If ease of use is a concern, go with a WYSIWYG editor, and then it doesn't really matter what the underlying markup is.
For the site i am building i would like the users to be able to provide embed codes for video and audio sites. i know this poses a security risk, so i wanted to find out, within Django, how best to filter the html provided so that only certain tags and certain sites are allowed.
Does anyone have any references to how i can accomplish this with Django?
You may be better off using a lightweight markup language and then converting to HTML. This prevents them from playing games to get around whatever HTML checking you do. Fully and correctly checking HTML for 'gotchas' is very difficult to do.
Doing it this way is sort of from the school of That which is not explicitly permitted is prohibited.