Saturday, December 21, 2013

Examples Of XSS Attack

Let's start with some examples of XSS attack.
Here we have three files as listed below and put the three files in same folder and run "index.cfm" page:
  • Application.cfc
  • index.cfm -
  • comment.json - Stores the comment added in the post

Find index.cfm below:

and next comment.json where I have added a comment as "First comment" as below, this file is used as our comment storage.

First if you run index.cfm then you will see the output as follows:

As we can see here we have only one comment which was present initially in the JSON file. Let's add some comment for our testing.
Test 1:
Input: <script>alert('Hello Girls!')</script> and see the output below.

If you notice in dump section we are getting the text as "<InvalidTag>alert('Hello Girls!')</script>" and in comment output we are getting "alert('Hello Girls!')".
This is because, in Application.cfc we have added this.scriptprotect = "all"; which is converting the script to "InvalidTag" and helps from such basic XSS attack.

For your testing make this.scriptprotect = "none"; and enter the same comment again and see the output. This time you will see the alert message instead of any <InvalidTag> as the comment.

Test 2:
Input: <body onload="alert('Hi');">XSS Body</body> and in output first you will get an alert message which will display "Hi" and after clicking OK, in comment section you will find your text "XSS Body".
Every time you load the page you will see the same result. So, how to protect here to your site???
Ans: Use appropriate display formatting function while displaying the comment as below:

For CF9:
<cfloop array="#commentObj['blogcomment']#" index="comment">
For CF10:
<cfloop array="#commentObj['blogcomment']#" index="comment">

In both the cases we will never get any alert message and output comment would be:
"<body onload="alert('Hi');">XSS Body</body>"

If you want to avoid storing this malicious HTML in your storage then before string the comment just use the display formatting function:
<cfset arrayAppend(commentObj['blogcomment'], HtmlEditFormat(form.blogCommentText))>
<cfset arrayAppend(commentObj['blogcomment'], EncodeForHTML(form.blogCommentText))>

After using this function before storing into database, don't need to use any display formatting function while displaying the comment anymore as it is already converted into XSS safe string.

The entered text could be in encoded format visit the URL for detail encoded malicious script :

In that case use the function "sanitizeScope" which is described in would come handy. Inside "onRequestStart" you can call: sanitizeScope( form ) or you can call that function in any particular page wherever you want to use.

Hope you enjoyed the examples!!!

NOTE: All the examples tested in FireFox 26.0  and it may vary in different browsers and  in different ColdFusion version as browsers are also taking XSS attack measure and in CF versions also Adobe making CF more in each release.

1 comment: