4

I'm looking for informations about security on Qooxdoo. I want to check my app vs OWASP top 10 A point to review is the XSS OWASP A3 XSS

How can I be sure that Qooxdoo is secure against XSS attacks ? Does Qooxdoo use some sanitizer tools ?

SOLVED

A short answer from all the discussions. Yes Qooxdoo is XSS safe. By default, no javascript value in any field will be executed.

But, if you use rich=true, you have to check input/output

Benoît VALLETTE d'OSIA
  • 67
  • 6
  • Are there any specific areas of OWASP that you think is applicable? OWASP seems to be relevant to the server security rather than client, i.e. if the client is compromised the question is whether the server can protect itself. – johnspackman Jun 14 '16 at 07:54
  • You are right, I want to check my full application against OWASP. I use Jspresso and docker, so I can check all the OWASP points. But for the XSS one, the client must be check, in my case Qooxdoo, that's why I asked my question only for Qooxdoo – Benoît VALLETTE d'OSIA Jun 14 '16 at 10:13

1 Answers1

6

A common XSS attack vector are situations where an attacker somehow inputs JS code into a web application, such that this code then shows up in the DOM of a webpage and gets thus activated.

To protect against this kind of XSS, you must make sure that the backend server does not send user generated (un-cleaned) html towards the browser ... (this has nothing to do with qooxdoo).

That said, the regular qooxdoo widgets do not in general display data as html so you are reasonably safe even without a clever server. The exception is the qx.ui.basic.Label widget and its descendants. The Label widget has the ability to display HTML directly if you set the rich property. The rich property is set to false by default, but if you enable it, you have to make sure you don't display 'dangerous' html content.

Only very few (non essential) qooxdoo widgets allow you to insert HTML code into the DOM. In these instance you have to take care to sanitize the data. The widgets in question are:

qx.ui.embed.Html
qx.ui.table.cellrenderer.Html
qx.ui.progressive.renderer.table.cell.Html
qx.ui.virtual.cell.Html
qx.ui.virtual.layer.HtmlCell
qx.ui.virtual.layer.HtmlCellSpan

If you do use qx.html.* and qx.bom.*and qx.dom.* objects to work with the DOM directly, you are beyond the reach of qooxoo and have to take care to act accordingly.

Another important attack vector are authentication cookies. Most of the attacks work by getting the browser to send a request together with the cookie to its server without the user being aware it.

Qooxdoo itself does not require you to use cookies at all. Since qooxdoo applications by design run in a single browser window, you can work without ever using cookies. An easy way of implementing something like this is to have a 'server access singleton' which takes care of all the communication with the backend and supplies the access token in a special header added to every request.

The code below could serve as a guide ... for the cookie problem.

qx.Class.define('myapp.Server', {
    extend : qx.io.remote.Rpc,
    type : "singleton",

    construct : function() {
        this.base(arguments);
        this.set({
            timeout     : 60000,
            url         : 'QX-JSON-RPC/',
            serviceName : 'default'
        });
    },

    properties: {
        sessionCookie: {
            init: null,
            nullable: true
        }
    },

    members : {
        /**
         * override the request creation, to add our 'cookie' header
         */
        createRequest: function() {
            var req = this.base(arguments);
            var cookie = this.getSessionCookie();
            if (cookie){
                req.setRequestHeader('X-Session-Cookie',this.getSessionCookie());
            }
            return req;
        }
    }
});

and if you provide a login popup window in myapp.uiLogin you could replace the standard callAsync by adding the following to popup a login window if the backend is unhappy with your request.

 /**
 * A asyncCall handler which tries to
 * login in the case of a permission exception.
 *
 * @param handler {Function} the callback function.
 * @param methodName {String} the name of the method to call.
 * @return {var} the method call reference.
 */
callAsync : function(handler, methodName) {
    var origArguments = arguments;
    var origThis = this;
    var origHandler = handler;
    var that = this;
    var superHandler = function(ret, exc, id) {
        if (exc && exc.code == 6) {
            var login = myapp.uiLogin.getInstance();

            login.addListenerOnce('login', function(e) {
                var ret = e.getData();
                that.setSessionCookie(ret.sessionCookie);
                origArguments.callee.base.apply(origThis, origArguments);
            });

            login.open();
            return;
        }

        origHandler(ret, exc, id);
    };

    if (methodName != 'login') {
        arguments[0] = superHandler;
    }

    arguments.callee.base.apply(this, arguments);
},

take a look at the CallBackery application to see how this works in a real application.

Tobi Oetiker
  • 5,167
  • 2
  • 17
  • 23
  • 1
    I'm not sure to understand why this is an answer about the Qooxdoo immunity against XSS. – Benoît VALLETTE d'OSIA Jun 14 '16 at 13:49
  • what kind of xss attack do you want to protect yourself against specifically ... ? Many involve cookies in some way, so by writing an app that does not use cookies, you can get around a whole bunch of them very easily ... – Tobi Oetiker Jun 14 '16 at 14:40
  • And many don't involve cookies at all. Even those that do involve cookies are better mitigated by the standard XSS defences. I'm not even sure what the XSS vulnerability this answer is supposed to defend against is. (Or how this could mitigate it, you're just replacing one form of input with a different form of input, but not changing what that input it at all) – Quentin Jun 14 '16 at 14:53
  • As I said, by NOT using cookies, you can avoid a whole class of attacks ... due to the architecture of qx this is really simple ... If you have a different class of xss attacks in mind, please be specific so we can discuss in less general terms. – Tobi Oetiker Jun 14 '16 at 14:59
  • 1
    I think that the question is specifically targeted at client XSS (ability to inject valid javascript in the DOM by using the standard qooxdoo widgets) and if qooxdoo specifically deals with it. See https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting#DOM_Based_XSS_.28AKA_Type-0.29 – Vincent Vandenschrick Jun 15 '16 at 10:12
  • I would dare to venture that most of the client xss attack vecrtors stemm from the fact that people operate "on the DOM". Qooxoo does not work like that mostly. The user does not interact with the dom directly ... he uses the qooxoo api exclusively ... and qooxoo controls the entire dom tree. – Tobi Oetiker Jun 15 '16 at 15:57
  • Is-it safe to say that a user who display a value written by another user, can't execute any javascript code from field value ? – Benoît VALLETTE d'OSIA Jun 16 '16 at 07:32
  • 1
    My understanding is that it entirely depends on the application code. If it uses a `rich=true` label (which is not the default) to display a value that has been typed-in by a malicious user and the backend does not perform any filtering, then yes, the javascript code *will* execute. It is the developer (or the framework he uses) responsibility to make sure that the typed-in strings are expunged from any malicious code before setting them to a `rich` qooxdoo Label. Starting from 4.3, Jspresso will perform systematic filtering of incoming values using the OWASP java-html-sanitizer library. – Vincent Vandenschrick Jun 16 '16 at 16:37