This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CRV2 ContextEncJscriptParams"
From OWASP
Line 27: | Line 27: | ||
</script> | </script> | ||
− | + | '''eval()''' | |
var txtField = "A1"; | var txtField = "A1"; | ||
− | var txtUserInput = "'test@ | + | var txtUserInput = "'test@google.ie';'''alert(1);'''"; |
'''eval'''( "document.forms[0]." + txtField + ".value =" + A1); | '''eval'''( "document.forms[0]." + txtField + ".value =" + A1); | ||
+ | |||
+ | '''jquery''' | ||
+ | var txtAlertMsg = "Hello World: "; | ||
+ | var txtUserInput = "test<script>alert(1)<\/script>"; | ||
+ | $("#message").'''html'''( txtAlertMsg +"<b>" + txtUserInput + "</b>"); | ||
+ | |||
+ | Safe usage (use text, not html) | ||
+ | $("#userInput").'''text'''( "test<script>alert(1)<\/script>");<-- treat user input as text |
Revision as of 13:26, 21 October 2013
Untrusted data, if being placed inside a Javascript function/code requires validation. Unvalidated data may break out of the data context and wind up being executed in the code context on a users browser.
Examples of exploitation points (sinks) which are worth reviewing for:
<script>var currentValue='UNTRUSTED DATA';</script> <script>someFunction('UNTRUSTED DATA');</script> attack: ');/* BAD STUFF */
Potential solutions:
OWASP HTML sanatiser Project
OWASP JSON Sanitizer Project
ESAPI javascript escaping can be call in this manner:
String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );
Please note there are some JavaScript functions that can never safely use untrusted data as input - EVEN IF JAVASCRIPT ESCAPED!
For example:
<script> window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...'); </script>
eval()
var txtField = "A1"; var txtUserInput = "'[email protected]';alert(1);"; eval( "document.forms[0]." + txtField + ".value =" + A1);
jquery
var txtAlertMsg = "Hello World: "; var txtUserInput = "test<script>alert(1)<\/script>"; $("#message").html( txtAlertMsg +"" + txtUserInput + "");
Safe usage (use text, not html) $("#userInput").text( "test<script>alert(1)<\/script>");<-- treat user input as text