Cross Scripting Attacks against Server-Side Processing Draw Request

Question

Link: https://datatables.net/manual/server-side#Returned-data

"The draw counter that this object is a response to - from the draw parameter sent as part of the data request. Note that it is strongly recommended for security reasons that you cast this parameter to an integer, rather than simply echoing back to the client what it sent in the draw parameter, in order to prevent Cross Site Scripting (XSS) attacks."

Can someone explain in kindergarten language what this means? This is very frustrating this is like reading gibberish to me. So just make draw = 1 and then no hacks? Life is easy?

I will post code so this does not get closed:

$(document).ready(function() {
var asc = true;
$('#example').DataTable( {
"processing": true,
"serverSide": true,
"ajax": {
"url": "server.php",
"type": "POST",
},


columnDefs: [{
targets: -1,
defaultContent: '<button type="button">Delete</button>'
}],
rowGroup: {
dataSrc: 1
}
});
});
 </script>
   <body>

 <table id="example" class="display" style="width:100%" class="table table-striped table-bordered table-hover table-condensed">
  <thead class="thead-inverse">
 <tr>
 <th> ID </th>
 <th>First Name </th>
 <th>Last Name </th>
 <th>Position </th>
 <th>Date </th>
<th>Updated </th>
 <th>Action</th>
 </thead> 
 </tr>
         <tbody>

         </tbody>
     </table>
     </div>         
 <?php

 $data=array();
 $requestData= $_REQUEST;

 $count=mysqli_query($con, "SELECT * FROM employees");
 $totalData= $count->num_rows;
 $totalFiltered=$totalData;

 $json_data = array(
            "draw"            => intval( $requestData['draw'] ),   // for every request/draw by clientside , they send a number as a parameter, when they recieve a response/data they first check the draw number, so we are sending same number in draw.
            "recordsTotal"    => intval( $totalData ),  
            "recordsFiltered" => intval( $totalFiltered ), 
            "data"            => $data   // total data array
            );

 echo json_encode($json_data);
 ?>
 </script>
   <body>

 <?php
 $data=array();
 $requestData= $_REQUEST;
 $query=mysqli_query($con, "SELECT * FROM employees");
 $totalData= $count->num_rows;
 $totalFiltered=$totalData;

 if( !empty($requestData['search']['value']) ) {
    // if there is a search parameter
    $sql = "SELECT first_name, last_name, position, date, updated";
    $sql.=" FROM employees";
    $sql.=" WHERE first_name LIKE '".$requestData['search']['value']."%' ";
    // $requestData['search']['value'] contains search parameter
    $sql.=" OR last_name LIKE '".$requestData['search']['value']."%' ";
     $sql.=" OR position LIKE '".$requestData['search']['value']."%' ";
      $sql.=" OR date LIKE '".$requestData['search']['value']."%' ";
       $sql.=" OR updated LIKE '".$requestData['search']['value']."%' ";

    $query=mysqli_query($con, $sql);
    $totalFiltered = mysqli_num_rows($query); // when there is a search parameter then we have to modify total number filtered rows as per search result without limit in the query

    $sql.=" ORDER BY ". $columns[$requestData['order'][0]['column']]."   ".$requestData['order'][0]['dir']."   LIMIT ".$requestData['start']." ,".$requestData['length']."   "; // $requestData['order'][0]['column'] contains colmun index, $requestData['order'][0]['dir'] contains order such as asc/desc , $requestData['start'] contains start row number ,$requestData['length'] contains limit length.
    $query=mysqli_query($con, $sql); // again run query with limit

} else {   

    $sql = "SELECT first_name, last_name, position, date, updated";
    $sql.=" FROM employees";
    $sql.=" ORDER BY ". $columns[$requestData['order'][0]['column']]."   ".$requestData['order'][0]['dir']."   LIMIT ".$requestData['start']." ,".$requestData['length']."   ";
    $query=mysqli_query($con, $sql);

}

$data = array();
while( $row=mysqli_fetch_array($query) ) {  // preparing an array
    $nestedData=array();

    $nestedData[] = $row["titulo"];
    $nestedData[] = $row["descripcion"];

    $data[] = $nestedData;
}

 ?>

Server.php

<?php
    $table = 'employees';
    $primaryKey = 'id'; // Table's primary key

    $columns = array(
        array( 'db' => 'id', 'dt' => 0 ),
        array( 'db' => 'first_name', 'dt' => 1 ),
        array( 'db' => 'last_name',  'dt' => 2 ),
        array( 'db' => 'position',   'dt' => 3 ),
        array( 'db' => 'date',     'dt' => 4 ),
         array( 'db' => 'updated',     'dt' => 5 ),
    );

    $sql_details = array(
        'user' => 'username',
        'pass' => 'password',
        'db'   => 'database',
        'host' => 'localhost'
    );

    require( 'ssp.class.php' );

    echo json_encode(
        SSP::simple( $_GET, $sql_details, $table, $primaryKey, $columns )
    );
    ?>

One explanation: Draw is a sequence number. More info here: https://datatables.net/manual/server-side#Sent-parameters It starts at 1 but increments for each draw. The response should have the same sequence number. You can see this in any of the SSP examples like this: https://datatables.net/examples/data_sources/server_side.html Open the browser's network tools and look at the request and response. The first will be 1 and if you sort or search the next will be 2.

Can this be simplified a little more? Thanks.

Answer 1

Seems no one knows. I found this description on 'draw':

""draw" => intval( $requestData['draw'] ), // for every request/draw by clientside , they send a number as a parameter, when they recieve a response/data they first check the draw number, so we are sending same number in draw.

Link: https://gist.github.com/aziz-blr/f3f645ed1451515597e52ede4be51539

This is ok gives a better picture. Better than nothing I suppose.