Difference between revisions of "CRV2 ContextEncJscriptParams"

From OWASP
Jump to: navigation, search
Line 27: Line 27:
 
     </script>
 
     </script>
  
 
+
'''eval()'''
 
     var txtField = "A1";
 
     var txtField = "A1";
     var txtUserInput = "'test@csnc.ch';'''alert(1);'''";
+
     var txtUserInput = "'test@google.ie';'''alert(1);'''";
 
     '''eval'''(  "document.forms[0]." + txtField + ".value =" + A1);
 
     '''eval'''(  "document.forms[0]." + txtField + ".value =" + A1);
 +
 +
'''jquery'''
 +
    var txtAlertMsg = "Hello World: ";
 +
    var txtUserInput = "test<script>alert(1)<\/script>";
 +
    $("#message").'''html'''(  txtAlertMsg +"<b>" + txtUserInput + "</b>");
 +
 +
    Safe usage (use text, not html)
 +
    $("#userInput").'''text'''(  "test<script>alert(1)<\/script>");<-- treat user input as text

Revision as of 08:26, 21 October 2013

Untrusted data, if being placed inside a Javascript function/code requires validation. Unvalidated data may break out of the data context and wind up being executed in the code context on a users browser.

Examples of exploitation points (sinks) which are worth reviewing for:

    <script>var currentValue='UNTRUSTED DATA';</script> 
    <script>someFunction('UNTRUSTED DATA');</script> 
    attack: ');/* BAD STUFF */
    


Potential solutions:

OWASP HTML sanatiser Project
OWASP JSON Sanitizer Project

ESAPI javascript escaping can be call in this manner:

    String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );

Please note there are some JavaScript functions that can never safely use untrusted data as input - EVEN IF JAVASCRIPT ESCAPED!

For example:

    <script>
    window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...');
    </script>

eval()

    var txtField = "A1";
    var txtUserInput = "'test@google.ie';alert(1);";
    eval(   "document.forms[0]." + txtField + ".value =" + A1);

jquery

    var txtAlertMsg = "Hello World: ";
    var txtUserInput = "test<script>alert(1)<\/script>";
    $("#message").html(   txtAlertMsg +"" + txtUserInput + "");
    Safe usage (use text, not html)
    $("#userInput").text(   "test<script>alert(1)<\/script>");<-- treat user input as text