-1

I have a chatting website and I wanna know if it is XSS secure. Let me explain what is my method.

I use this JQuery code to add new messages to screen that are incoming from ajax request:

$("#message").prepend(req.msg);

I know this is vulnerable but messages on DB are encoded. So when I send that payload message:

<text>TEST</test>

It stored on database as encoded:

&lt;text&gt;TEST&lt;/test&gt;

I know a scenario that is bypassing .htmlentities() function in this answer. Shortly:

 <input value=<%= HtmlEncode(somevar) %> id=textbox>

If we send a onclick=alert(document.cookie) input to this html code, it will become:

<input value=a onclick=alert(document.cookie) id=textbox>

So in this scenario, encoding < > ; & characters can't save us. But I didn't write my code like this so I think I'm secure from that vulnerabilty. My server responds a JSON like this:

..."msg" : "<tr><td><b>user:<\b> &lt;text&gt;TEST&lt;/test&gt;<\td><\tr>",...

And I directly .prepend() the "msg" data into page. I think this is fully secure. Hacker must use < > ; & characters to XSS. I am also encoding \ as \\. But maybe I am missing something. Is that fully secure ?

Community
  • 1
  • 1
Unhappy
  • 1
  • 1
  • 1
    I wouldn't store HTML-escaped data in the database, I would just insert it in the page using a text parser instead of a HTML parser. And I would wrap all attribute values in quotes, and escape quotes in the inserted content. – Oriol Sep 03 '16 at 23:24
  • I am sorry but what wolud you "insert" in the page? Are you suggesting storing messages unescaped then escape them in runtime before printing? Does it changes anything? – Unhappy Sep 03 '16 at 23:32
  • For example, `$("#message").prepend(document.createTextNode(req.msg));` will prepend a text node instead of parsing `req.msg` as HTML. – Oriol Sep 03 '16 at 23:37
  • In this case if `req.msg` contains html tags that would trigger an XSS. – Unhappy Sep 03 '16 at 23:55
  • No, it wouldn't, because `document.createTextNode` escapes HTML automatically. There's still a vulnerability though :) Look for my answer. – RamenChef Sep 03 '16 at 23:57
  • You should only store the text of the message in the database and then set the text on an element with $.text(). – bhspencer Sep 04 '16 at 00:40
  • can I add an img tag? if so I can do an img tag that links to an svg document that has onclick elements that executes javascript. or I can add a base64 encoded svg element. How are you going to stop that? – Tschallacka Sep 04 '16 at 00:40
  • To add tags you have to use < and > . When you typed these characters and send a message, I encode them as &lt and &gt and store in databese. So you can't use tags directly. Thats what I am searching. I encoded tags and \ character but maybe there are some characters that I should encode too. – Unhappy Sep 04 '16 at 00:47

1 Answers1

1

No. It's not. The way the data is transported makes it possible for someone to input unescaped HTML tags. Say that someone posted this payload:

\u003cscript\u003ealert(1)\u003c/script\u003e

This would be entered into the database as-is, because there is nothing for htmlencode to escape. However, when it's put in the JSON, and said JSON is parsed, it becomes this:

<script>alert(1)</script>

And executes the malicious code. A better solution would be to encode the raw data for JSON, and then use an HTML escapement mechanism client-side.

With the server-side escaping \ in the JSON, I think that is fully secure.

RamenChef
  • 5,557
  • 11
  • 31
  • 43