Saturday, December 21, 2013

Examples Of XSS Attack

Let's start with some examples of XSS attack.
Here we have three files as listed below and put the three files in same folder and run "index.cfm" page:
  • Application.cfc
  • index.cfm -
  • comment.json - Stores the comment added in the post
Application.cfc:

Find index.cfm below:

and next comment.json where I have added a comment as "First comment" as below, this file is used as our comment storage.

First if you run index.cfm then you will see the output as follows:

As we can see here we have only one comment which was present initially in the JSON file. Let's add some comment for our testing.
Test 1:
Input: <script>alert('Hello Girls!')</script> and see the output below.

If you notice in dump section we are getting the text as "<InvalidTag>alert('Hello Girls!')</script>" and in comment output we are getting "alert('Hello Girls!')".
This is because, in Application.cfc we have added this.scriptprotect = "all"; which is converting the script to "InvalidTag" and helps from such basic XSS attack.

For your testing make this.scriptprotect = "none"; and enter the same comment again and see the output. This time you will see the alert message instead of any <InvalidTag> as the comment.

Test 2:
Input: <body onload="alert('Hi');">XSS Body</body> and in output first you will get an alert message which will display "Hi" and after clicking OK, in comment section you will find your text "XSS Body".
Every time you load the page you will see the same result. So, how to protect here to your site???
Ans: Use appropriate display formatting function while displaying the comment as below:

For CF9:
<cfloop array="#commentObj['blogcomment']#" index="comment">
<li>#HtmlEditFormat(comment)#</li>
</cfloop>
For CF10:
<cfloop array="#commentObj['blogcomment']#" index="comment">
<li>#EncodeForHTML(comment)#</li>
</cfloop>

In both the cases we will never get any alert message and output comment would be:
"<body onload="alert('Hi');">XSS Body</body>"

If you want to avoid storing this malicious HTML in your storage then before string the comment just use the display formatting function:
<cfset arrayAppend(commentObj['blogcomment'], HtmlEditFormat(form.blogCommentText))>
Or
<cfset arrayAppend(commentObj['blogcomment'], EncodeForHTML(form.blogCommentText))>

After using this function before storing into database, don't need to use any display formatting function while displaying the comment anymore as it is already converted into XSS safe string.


The entered text could be in encoded format visit the URL for detail encoded malicious script : https://www.owasp.org/index.php/Double_Encoding

In that case use the function "sanitizeScope" which is described in http://coldfusion-tip.blogspot.in/2013/12/coldfusion-application-security.html would come handy. Inside "onRequestStart" you can call: sanitizeScope( form ) or you can call that function in any particular page wherever you want to use.

Hope you enjoyed the examples!!!

NOTE: All the examples tested in FireFox 26.0  and it may vary in different browsers and  in different ColdFusion version as browsers are also taking XSS attack measure and in CF versions also Adobe making CF more in each release.

3 comments:

  1. nice and good explanation..

    ReplyDelete
  2. Your Affiliate Profit Machine is ready -

    Plus, getting it running is as simple as 1 . 2 . 3!

    Here is how it works...

    STEP 1. Tell the system which affiliate products the system will advertise
    STEP 2. Add some PUSH BUTTON traffic (it ONLY takes 2 minutes)
    STEP 3. See how the affiliate system grow your list and sell your affiliate products for you!

    Are you ready to start making money??

    Click here to activate the system

    ReplyDelete
  3. As reported by Stanford Medical, It's really the ONLY reason this country's women live 10 years more and weigh an average of 42 lbs lighter than us.

    (And by the way, it really has NOTHING to do with genetics or some secret-exercise and absolutely EVERYTHING around "how" they eat.)

    P.S, What I said is "HOW", not "what"...

    TAP this link to discover if this short quiz can help you unlock your true weight loss possibility

    ReplyDelete

Followers