Reflective XSS Protection - clarification?

StackOverflow https://stackoverflow.com/questions/21253167

Question

After reading this article by Eric Lawrence ,I saw this test page http://www.enhanceie.com/test/xss/ which simulates the usage of Reflective XSS Protection.

Now , According to google chromium :

XSS filter checks whether a script that's about to run on a web page is also present in the request that fetched that web page. If the script is present in the request, that's a strong indication that the web server might have been tricked into reflecting the script.

So , If I post to the server : 

<script>alert("bang! script injection\n"+document.cookie);</script>

And the browser also sees it at the request via url: 

http://webdbg.com/test/xss/Hello.asp?txtName=%3Cscript%3Ealert%28%22bang%21+script+injection%5Cn%22%2Bdocument.cookie%29%3B%3C%2Fscript%3E

then it shows this error ( console):

The XSS Auditor refused to execute a script in 'http://webdbg.com/test/xss/Hello.asp?txtName=%3Cscript%3Ealert%28%22bang%21+script+injection%5Cn%22%2Bdocument.cookie%29%3B%3C%2Fscript%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.

But fiddler does show me that the page did get the script to run :

enter image description here

Question :

As the solution to deal with xss is html Encode/decode ,

How/when should I combine between those 2 solutions ?

I mean I could use html encode and scripts would never run in my page , or , I could use this header... ?

Im confused.

Was it helpful?

Solution

But fiddler does show me that the page did get the script to run

No, it doesn't. Fiddler shows you that the server sent the script back to the browser. It tells you absolutely nothing about what the browser did with the script.

As the solution to deal with xss is html Encode/decode

That is one solution (also the simplest and best if you don't need to allow users to submit any kind of HTML).

How/when should I combine between those 2 solutions?

You should encode any user input you get as HTML by encoding entities, and ignore anti-XSS filters that appear in some browsers because not all browsers have them so you cannot depend upon them.

I mean I could use html encode and scripts would never run in my page

Only encode user input (because it is untrusted). Don't encode scripts you write yourself and therefore can trust.

OTHER TIPS

Encoding and Decoding is the most reliable solution for XSS vulnerabilities. Make sure you encode for the right context. i.e. if the tainted data is being inserted in to javascript then call a javascript encoder not a html encoder. ESAPI have a good library of all the encoders you need.

In addition some browsers are now supporting Content Security Policy settings with headers that also help in the battle against XSS. Here is an article on it http://www.html5rocks.com/en/tutorials/security/content-security-policy/

Do not rely on browser filters because you cannot be sure your users will have that feature in their browser. Always sanitize your data.

Simply HTML encoding is enough to prevent XSS. If the user enters xss characters they will be encoded but alphanumeric characters will remain as such.

Other than this, you can use tag of the core jstl library in the jsp pages.

Better to give examples instead writing.

Reflective XSS POC

<?php
/**
 * @Author Vaibs
 *
 */
$cookie_name = "user";
$cookie_value = "John Doe";
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/"); // 86400 = 1 day
if (isset($_REQUEST['Submit'])) { //check if form was submitted
    $input = isset($_REQUEST['appid']) ? $_REQUEST['appid'] : "";//get input text
    echo "Input from client is reflected back as ->  : " . $input;
}
?>

<html>
<body>
<form>
    <input type="text" name="appid"/>
    <input type="submit" name="Submit"/>
</form>
</body>
</html>

How to avoid ? Answer: Simplest is to use PHP function urlencode.

<?php
/**
 * @Author Vaibs
 *
 */
$cookie_name = "user";
$cookie_value = "John Doe";
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/"); // 86400 = 1 day
if (isset($_REQUEST['Submit'])) { //check if form was submitted
    $input = isset($_REQUEST['appid']) ? $_REQUEST['appid'] : "";//get input text
    echo "Input from client is reflected back as ->  : " . urlencode($input);
}
?>

<html>
<body>
<form>
    <input type="text" name="appid"/>
    <input type="submit" name="Submit"/>
</form>
</body>
</html>

Difference is the use of urlencode function that is been used in the second code.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top