Resolving cross site scripting issues.
I got a bug report about the following in the admin UI for RavenDB.
As you can imagine, this is certainly something that we would like to avoid, but there is a problem. How the hell do you find the problem?
I mean, obviously we are encoding the value when we present it to the user, since I can see it on the UI. But it is still running, so I am doing something bad here. But I don’t feel like traversing through a mountain of JavaScript to find out exactly where this is happening. Luckily, we don’t have to, we can use the XSS itself to help it localize it:
And given that, we can get directly to the actual fault:
And fixing that is a snap.
Comments
Excuse my incompetence but can you elaborate the connection between the yellowish debbuger variable and the javascript line of code?
Marcus
Do you mean the tooltip that displays the value of the children variable? Because the value isn't HTML encoded, any javascript will be inserted straight into that <span as is and thus will be executed on the browser - in this case a debugger breakpoint and then a call to the alert() function.
Oren, sweet use of the debugger breakpoint!
I also wanted to suggest chaining the calls to append() in your jquery to prevent doing the $(childDiv) lookup multiple times, for example.
you should look into some kind of string templating instead of the concatenations
EJS is a great pick. it gives you a syntax similar to php/asp/ERB that is extremely familiar.
so you'd be creating the markup in using a view, then transferring the markup built to jQuery to be inserted to the DOM
@Mike: no thats not what I mean,
I mean the other yellow-marked word 'debugger', how does that bring him to the line of javascript code?
Nice technique. Are 100% percent sure that the "key" is already encoded as well? At the very least it can contain umlauts which have to be html encoded (or you might find yourself debugging a much harder problem a year in the future).
@Marcus: At least in Firebug when the javascript 'debugger;' statement is encountered; this simulates a breakpoint.
@Andrew: thanks thats explains it
He seems to be using Chrome though, according to the first image,
maybe Chrome has that functionality too.
Marcus,
That is the same behavior in all browsers.
I didn´t understand why that string is show in UI and executing too.
Oops...my bad Oren.
As above that JsonDiv is getting wrapped twice
It was recommended to me to use $jsonDiv as a variable name to make it clear that it was already a wrapped jQuery object
Fixing just one instance of a problem is a sin You definitely have more problems like that and one alone is enough to hijack another user's credentials.
Or... you could just encode everything? I'm not sure what this is all about.
Not all browsers show it the same way, but they will direct you to the line # of the problem. Chrome has the best devtools .. worth checking out.
To further elaborate on Steve Gentile's comment, it is better to build a string up and update the DOM a single time rather than updating it per row.
See http://jqfundamentals.com/book/book.html and blog.rebeccamurphey.com/in-search-of-javascript...
Comment preview