XSS Insertion Prevention

[twalters84]

Hello everyone,

I have done pretty well to prevent XSS Insertions by not allowing HTML to be entered in edtible text areas.

However, what if somebody has the following situation. Let's say you wanted to give users a way to enter a URL in an input form. This URL could be a previous employer's website, education institution, or even a portfolio.

Lets say the client entering the URL worked for Google. So they enter Google into the input field and click submit.

This website is dynamic so it will automatic appear as follows:

<a href="http://www.google.com" target="_blank">http://www.google.com</a>

That worked great!!! Now, here is the problem. What if a hacker came along and entered something like this in the text area.

http://www.google.com" onclick="JAVASCRIPT

The link would then appear as follows:

<a href="http://www.google.com" onclick="JAVASCRIPT" target="_blank">http://www.google.com</a>

Obviously, without prevention, a hacker could use any javascript he / she wanted. They could send the person to some other website or even import their own code.

How can I, as a programmer, prevent this from happening?

Thanks for any advice as it is always appreciated.

Sincerely,
Travis Walters

[John]

There are many things you can do to prevent XSS. However, the general rule of thumb is that XSS prevention an "output thing" not an "input thing."

In your example above, the first thing I would use a regular expression to first validate the URL. Whether you do that in JavaScript, PHP, or some other server side language, thats the first thing you should do. All domain names have a specific format with only certain letters that are allowed. Checking this should be good enough.

However, you should also filter the output. Using a server-side language like PHP, and a function like this: htmlspecialchars should make your site very secure.

[twalters84]

Hey there,

Thanks for the great reply.

What do you mean exactly when you say the first thing you do is validate the URL?

Does this mean you have some script check for

"http://www." + DOMAIN + TOP LEVEL DOMAIN EXTENSION

For the second part of your reply, I found the coldfusion equivalent here:

Entize - trac - Trac

I found something important here as well:

Chris Shiflett: Character Encoding and XSS

It says the following:

"When using htmlspecialchars() without specifying the character encoding, XSS attacks that use UTF-7 are possible."

Does the following prevent UTF-7 attacks?

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

Thanks in advance for anymore information you can provide.

Sincerely,
Travis Walters

[John]

What do you mean exactly when you say the first thing you do is validate the URL?

Does this mean you have some script check for

"http://www." + DOMAIN + TOP LEVEL DOMAIN EXTENSION

Pretty much, but you also have to account for different protocols [http/https] and sub domain's.

[protocol]://[subdomain].[domain].[extension] and each part of the URL has only specific letters that can be used. I know JavaScript can validate it using regular expressions [don't ask me the specific regex, because I have no clue] and I'm sure Coldfusion has regex too. If you are really paranoid, you can try to establish a connection to the specified URL [maybe using cURL library] to make sure that the URL actually exists, not just in the proper format.

And I have read Chris Shiflett's article before, but I haven't done much research on the information in that article, so I can't say any thing for certain about it. But according to that article, and other sources I have read, setting your character encoding in the meta tags only allows that encoding to be used on the page. So in theory it should prevent any UTF-7 attacks.

[twalters84]

Hey there,

I just wanted to say thanks for the help.

I know you said that XSS prevention is an output thing, but I would rather be safe and control input and output.

For other readers interested in prevention, I have been using something like the following to control input to a certain extent:

<cfif #REFind("<[^>]*>", FORM.VARIABLE_NAME)#>
<cfset htmlFound = 1>
</cfif>

However, after reading about these security issues, I am going to take further measures.

I will probably hire a security expert eventually as well as an SEO specialist.

Thanks again for the help. Got some work to do now

Sincerely,
Travis Walters

[TcM]

The htmlspecialchars will still execute the HTML? for example if you have <b>Hello</b> Will Hello still appear bold?

Thanks

[John]

The htmlspecialchars will still execute the HTML? for example if you have <b>Hello</b> Will Hello still appear bold?

Thanks

No, it would be converted to:
[highlight="HTML4Strict"]&lt;b&gt;Hello&lt;/b&gt;[/highlight]
And be displayed as:

<b>Hello</b>

[TcM]

Hmm exactly as my script did.. I had to remove that so be able to make links....

[twalters84]

Hey Guys,

The security update is coming along great.

I have a quick question though.

How do you validate whether a URL exists?

Thanks in advance.

Sincerely,
Travis Walters

[twalters84]

Hey there,

I should have mentioned that I asked about validating a URL in this thread already.

What I mean by my question in the last post is I would think there is already a function that does this?

Something in coldfusion would be great, but a PHP example could also benefit readers.

Thanks again.

Sincerely,
Travis Walters