Fórumok

  1. Nyitólap
  2. Development
  3. XSS in header

XSS in header

Merlin Mundo, módosítva 9 év-val korábban

XSS in header

New Member Bejegyzések: 20 Csatlakozás dátuma: 2014.05.16. Legújabb bejegyzések
I am using liferay 6.2 CE GA2. I have added http.header.secure.x.xss.protection=1; mode=block to my portal-ext but the scripts I injected into the html request headers are returned unchanged. Is there another way to do cross-site scripting protection?

I've actually also done this :http://greatwebguy.com/programming/java/simple-cross-site-scripting-xss-servlet-filter/: but am not too sure if I applied it correctly. The filter gets called, but the html response is not cleaned.

My test case is when clicking a link from below code and injecting a script into the html request header

<portlet:renderurl var="gotoThisPage">
	<portlet:param name="jspPage" value="/main/view.jsp" />
</portlet:renderurl>
thumbnail
Tomas Polesovsky, módosítva 9 év-val korábban

RE: XSS in header

Liferay Master Bejegyzések: 676 Csatlakozás dátuma: 2009.02.13. Legújabb bejegyzések
Hi Merlin,

http.header.secure.x.xss.protection only emits X-XSS-Protection header for browsers. They already has their XSS protection turned on, even without the X-XSS-Protection header. This value is more for testing purposes, where it's possible to turn the protection off for browsers, sending X-XSS-Protection: 0

The only working protection against XSS is to apply correct escaping for user-supplied input - please see Wiki on Escaping, but the hard thing here is to apply escaping right and on all places.

For sanitizing HTML - when you need to display HTML (e.g. from HTML editors) there is AntiSamy plugin for EE portal. It's based on AntiSamy project, which you can use in CE.

I cannot recommend to create own sanitizing filter unless you really know what you are doing.
1, Input escaping is context-sensitive and it's often possible to bypass these filters using some kind of mixed HTML, URL, CSS or JS encoding
2, When you save such escaped values into database, original meaning of the information / data is changed
3, Sometimes it's possible to insert data into DB using other way (LDAP / DB import, email parsers ...), without output escaping any input filter won't help

Btw. if you feel it's XSS in the portal itself, feel free to report it - https://liferay.com/security. Thank you.
Merlin Mundo, módosítva 9 év-val korábban

RE: XSS in header

New Member Bejegyzések: 20 Csatlakozás dátuma: 2014.05.16. Legújabb bejegyzések
Thanks alot. Anyways I found out where exactly the XSS was occuring and have escaped it.