Cross Site Scrpting

Foren

Souvik Ghosh, geändert vor 8 Jahren.

Cross Site Scrpting

New Member Beiträge: 2 Beitrittsdatum: 08.06.15 Neueste Beiträge

Facing a cross scripting issue.. if i hit the url:- for example https://www.abcd.com/newsyoucanuse?p_p_id=33&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=1&p_p_col_count=2&_33_urlTitle=upcoming-webinars-march-2015&_33_struts_action=%2Fblogs%2Fview&_33_redirect=https%3A%2F%2Fwww.northamericancompany.com%2Fnewsyoucanuse%3Fp_p_id%3D115%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_p_col_id%3Dcolumn-3%26p_p_col_pos%3D1%26p_p_col_count%3D2&%22%3E%3Cscript%3Eprompt%28%29%3C/script%3E=whscheck Due to the scriptlet "%3D2&%22%3E%3Cscript%3Eprompt%28%29%3C/script%3E=whscheck" a prompt window is opnening. i am trying to get rid of this vulnerability from theme using velocity template. what i have done is i have tried to redirect it to error page whenever it finds a script within the url. viz.

#if($portalUtil.getCurrentCompleteURL($request).contains("script"))
#set ($portalURL = $themeDisplay.getPortalURL()+"/errorpage")
<script type="text/javascript">
window.location.href = '$portalURL';
</script>
#end
But in IE and Firefo the prompt still occurs.. Not sure how to overcome this short coming.
If someone could help.
Thanks in advance..

Amos Fong, geändert vor 8 Jahren.

RE: Cross Site Scrpting

Liferay Legend Beiträge: 2047 Beitrittsdatum: 07.10.08 Neueste Beiträge

Hi Souvik,

Redirecting when you detect a script is not the best solution cause your detection will be hard to be 100% foolproof. The best way is to escape any untrusted data in your template. See https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet for more info.

Liferay has a util available in templates for you to use already. See https://www.liferay.com/community/wiki/-/wiki/Main/Escaping for all the methods. In a template you would use $htmlUtil.escape($untrustedData)

Souvik Ghosh, geändert vor 8 Jahren.

RE: Cross Site Scrpting

New Member Beiträge: 2 Beitrittsdatum: 08.06.15 Neueste Beiträge

Hi Amos,

The url i have given in my query is already the escaped version. i Have tried escaping the url. But still the vulnerabilty persists. Not Knowing how to counter the issue after escaping the url i went for redirection.
I second you regarding the redirecting part as it is not 100% safe.
But il look into the liferay Util you mentioned, may be i can find my solution there.

Thanks for the valuable suggestion.

Tomas Polesovsky, geändert vor 8 Jahren.

RE: Cross Site Scrpting

Liferay Master Beiträge: 676 Beitrittsdatum: 13.02.09 Neueste Beiträge

Hi,

the XSS vector is this: %22%3E%3Cscript%3Eprompt%28%29%3C/script%3E=whscheck,

url-decoded: "><script>prompt()</script>=whscheck

Look into your HTML sources and find the place where it's written.

Then you need to find the corresponding place in Java / JSP / Velocity / Freemarker server side code. You need to find the code that writes this output.

Once you find the corresponding code, you need to change it to escape the output before writing.

HTH.