Ayende @ Rahien

Hi!
My name is Oren Eini
Founder of Hibernating Rhinos LTD and RavenDB.
You can reach me by phone or email:

ayende@ayende.com

+972 52-548-6969

, @ Q c

Posts: 18 | Comments: 76

filter by tags archive

Resolving cross site scripting issues.

time to read 1 min | 198 words

I got a bug report about the following in the admin UI for RavenDB.

image

As you can imagine, this is certainly something that we would like to avoid, but there is a problem. How the hell do you find the problem?

I mean, obviously we are encoding the value when we present it to the user, since I can see it on the UI. But it is still running, so I am doing something bad here. But I don’t feel like traversing through a mountain of JavaScript to find out exactly where this is happening. Luckily, we don’t have to, we can use the XSS itself to help it localize it:

image

And given that, we can get directly to the actual fault:

image

And fixing that is a snap.


Comments

Marcus

Excuse my incompetence but can you elaborate the connection between the yellowish debbuger variable and the javascript line of code?

Mike Scott

Marcus

Do you mean the tooltip that displays the value of the children variable? Because the value isn't HTML encoded, any javascript will be inserted straight into that <span as is and thus will be executed on the browser - in this case a debugger breakpoint and then a call to the alert() function.

Mike Scott

Oren, sweet use of the debugger breakpoint!

I also wanted to suggest chaining the calls to append() in your jquery to prevent doing the $(childDiv) lookup multiple times, for example.

Ken Egozi

you should look into some kind of string templating instead of the concatenations

EJS is a great pick. it gives you a syntax similar to php/asp/ERB that is extremely familiar.

so you'd be creating the markup in using a view, then transferring the markup built to jQuery to be inserted to the DOM

Marcus

@Mike: no thats not what I mean,

I mean the other yellow-marked word 'debugger', how does that bring him to the line of javascript code?

tobi

Nice technique. Are 100% percent sure that the "key" is already encoded as well? At the very least it can contain umlauts which have to be html encoded (or you might find yourself debugging a much harder problem a year in the future).

Andrew

@Marcus: At least in Firebug when the javascript 'debugger;' statement is encountered; this simulates a breakpoint.

Marcus

@Andrew: thanks thats explains it

He seems to be using Chrome though, according to the first image,

maybe Chrome has that functionality too.

Ayende Rahien

Marcus,

That is the same behavior in all browsers.

Felipe Fujiy

I didn´t understand why that string is show in UI and executing too.

Luke

Oops...my bad Oren.

Steve Gentile

As above that JsonDiv is getting wrapped twice

It was recommended to me to use $jsonDiv as a variable name to make it clear that it was already a wrapped jQuery object

Jonas

Fixing just one instance of a problem is a sin You definitely have more problems like that and one alone is enough to hijack another user's credentials.

Miranda

Or... you could just encode everything? I'm not sure what this is all about.

Michael Fever

Not all browsers show it the same way, but they will direct you to the line # of the problem. Chrome has the best devtools .. worth checking out.

Comment preview

Comments have been closed on this topic.

FUTURE POSTS

  1. Production postmortem: The industry at large - one day from now
  2. The insidious cost of allocations - about one day from now
  3. Buffer allocation strategies: A possible solution - 5 days from now
  4. Buffer allocation strategies: Explaining the solution - 6 days from now
  5. Buffer allocation strategies: Bad usage patterns - 7 days from now

And 2 more posts are pending...

There are posts all the way to Sep 11, 2015

RECENT SERIES

  1. Find the bug (5):
    20 Apr 2011 - Why do I get a Null Reference Exception?
  2. Production postmortem (10):
    01 Sep 2015 - The case of the lying configuration file
  3. What is new in RavenDB 3.5 (7):
    12 Aug 2015 - Monitoring support
  4. Career planning (6):
    24 Jul 2015 - The immortal choices aren't
View all series

Syndication

Main feed Feed Stats
Comments feed   Comments Feed Stats