Ayende @ Rahien

Hi!
My name is Oren Eini
Founder of Hibernating Rhinos LTD and RavenDB.
You can reach me by phone or email:

ayende@ayende.com

+972 52-548-6969

, @ Q c

Posts: 5,953 | Comments: 44,410

filter by tags archive

Resolving cross site scripting issues.


I got a bug report about the following in the admin UI for RavenDB.

image

As you can imagine, this is certainly something that we would like to avoid, but there is a problem. How the hell do you find the problem?

I mean, obviously we are encoding the value when we present it to the user, since I can see it on the UI. But it is still running, so I am doing something bad here. But I don’t feel like traversing through a mountain of JavaScript to find out exactly where this is happening. Luckily, we don’t have to, we can use the XSS itself to help it localize it:

image

And given that, we can get directly to the actual fault:

image

And fixing that is a snap.


Comments

Marcus

Excuse my incompetence but can you elaborate the connection between the yellowish debbuger variable and the javascript line of code?

Mike Scott

Marcus

Do you mean the tooltip that displays the value of the children variable? Because the value isn't HTML encoded, any javascript will be inserted straight into that <span as is and thus will be executed on the browser - in this case a debugger breakpoint and then a call to the alert() function.

Mike Scott

Oren, sweet use of the debugger breakpoint!

I also wanted to suggest chaining the calls to append() in your jquery to prevent doing the $(childDiv) lookup multiple times, for example.

Ken Egozi

you should look into some kind of string templating instead of the concatenations

EJS is a great pick. it gives you a syntax similar to php/asp/ERB that is extremely familiar.

so you'd be creating the markup in using a view, then transferring the markup built to jQuery to be inserted to the DOM

Marcus

@Mike: no thats not what I mean,

I mean the other yellow-marked word 'debugger', how does that bring him to the line of javascript code?

tobi

Nice technique. Are 100% percent sure that the "key" is already encoded as well? At the very least it can contain umlauts which have to be html encoded (or you might find yourself debugging a much harder problem a year in the future).

Andrew

@Marcus: At least in Firebug when the javascript 'debugger;' statement is encountered; this simulates a breakpoint.

Marcus

@Andrew: thanks thats explains it

He seems to be using Chrome though, according to the first image,

maybe Chrome has that functionality too.

Ayende Rahien

Marcus,

That is the same behavior in all browsers.

Felipe Fujiy

I didn´t understand why that string is show in UI and executing too.

Luke

Oops...my bad Oren.

Steve Gentile

As above that JsonDiv is getting wrapped twice

It was recommended to me to use $jsonDiv as a variable name to make it clear that it was already a wrapped jQuery object

Jonas

Fixing just one instance of a problem is a sin You definitely have more problems like that and one alone is enough to hijack another user's credentials.

Miranda

Or... you could just encode everything? I'm not sure what this is all about.

Michael Fever

Not all browsers show it the same way, but they will direct you to the line # of the problem. Chrome has the best devtools .. worth checking out.

Comment preview

Comments have been closed on this topic.

FUTURE POSTS

No future posts left, oh my!

RECENT SERIES

  1. The RavenDB Comic Strip (3):
    28 May 2015 - Part III – High availability & sleeping soundly
  2. Special Offer (2):
    27 May 2015 - 29% discount for all our products
  3. RavenDB Sharding (3):
    22 May 2015 - Adding a new shard to an existing cluster, splitting the shard
  4. Challenge (45):
    28 Apr 2015 - What is the meaning of this change?
  5. Interview question (2):
    30 Mar 2015 - fix the index
View all series

Syndication

Main feed Feed Stats
Comments feed   Comments Feed Stats