FAQ Database Discussion Community


Server XSS vs Client XSS

xss
Can someone give me a clear explanation of the difference between server xss and client xss? I read the explanation on the site of OWASP but it wasn't very clear for me. I know the reflected, stored en dom types.

Is jQuery's $.get() safe to call on an untrusted URL?

jquery,ajax,json,security,xss
I recently learned that jQuery's $.getJSON() is not safe to call on an untrusted URL. What about $.get()? Is jQuery's $.get() safe to call when the URL parameter comes from an untrusted source, or is this insecure? This came up in a security code review I was doing, to check...

Java Overide getInputStream from HttpServletRequestWrapper to escape HTML in JSON

jackson,xss
I am trying to override the HttpServletRequestWrapper#getInputStream(). I am trying to read the JSON in the body and escape the HTML tags to prevent XSS. I am working on a lage application with multiple endpoints. I am using JacksonMapper to translate the JASON to the POJOs so want to sanitize...

Why isn't my XSS attack on a dummy website working?

javascript,html,security,post,xss
In my security course we were given a dummy website to practice xss attack: http://permalink.co/multivac/biteme.php Don't worry, this website is for practice, it only temporarily changes on a particular student's computer, it always resets back to original afterwards. I want to change the url under "click to download" to point...

Purpose of web app input validation for security reasons

validation,security,xss,sql-injection,code-injection
I often encounter advice for protecting a web application against a number of vulnerabilities, like SQL injection and other types of injection, by doing input validation. It's sometimes even said to be the single most important technique. Personally, I feel that input validation for security reasons is never necessary and...

Session Id placement: Form Hidden Field vs. HTTPOnly Cookie

security,session,cookies,xss,csrf
What is adv & dis-Adv of placing Session Id in form or cookie? Is it correct to put CSRF-Tag in form hidden field and Session Id in httpOnly cookie?(Most Secure) I'm newbie in security...

XSS Within Javascript Data

javascript,xss
While working on a webapp, I discovered that upon bootstrapping your application, dangerous characters can actually exist within the initial data: <body> <script> var users = [ { id: 1, bio: 'My beautiful bio' }, { id: 2, bio: '</script><script>alert("hello")</script>' } ] </script> </body> This was news to me, as...

Handling of character references in an embedded SVG's script tags

javascript,html,svg,xss
This is a xss script: <svg><script>&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;</script></svg> The code between <script> tags will be translated to alert(1) by the browser and executed. But if I don't use a <svg> tag the code won't be translated to script. Can anyone tell me why this happens? How does <svg> tag work?...

Validate CSS in C#

css,escaping,xss
I have a web app which generates HTML-code. The user can enter some CSS-code, which is automatically inserted inside of a <style></style> tag. Now a malicious user could enter something like </style><script>maliciousFunction();</script><style> here. But if I simply escape the whole input, then also valid CSS is escaped (like braces for...

Issue about XSS Attack and SQL Injection

php,security,mysqli,xss,sql-injection
I'm new to web security.After spending time reading some blogs and community sites like SO,I have found some techniques to be safe from XSS Attack and SQL Injection.But the problem is,most of that security related questions are very old.So,my question is does my following code has any major security holes...

How to protect from injection attacks when using KnockoutJS?

knockout.js,xss
Our company was planning to use Knockoutjs but I found this link discussing security issues in KnockoutJS. They are saying that people can easily inject malicious code in data-bind attribute. For example: <script src="http://knockoutjs.com/downloads/knockout-2.3.0.js"></script> <div data-bind="x:alert(1)" /> <script> ko.applyBindings(); </script> I do not have very good understanding about XSS attacks,...

XSS HTTP parameter pollution and getQueryString()

jsp,security,xss
I'm dealing with xss issues and found a problem I don't know how to solve it. I've a report from Acunetx saying: Details POST (multipart) input query was set to idMenu=14&n907758=v929899 Parameter precedence: first occurrence Affected link: /MYAPP/jspfs/plantilla.jsp?idMenu=14&n907758=v929899&int1=-1&accion1=edit Affected parameter: idMenu=14 In my jsp I've something like this: <input type="hidden"...

Protect Express against XSS: is it sufficient to encode HTML entities of whole incoming request?

node.js,express,xss,sanitize
I have an Express app that I want to protect against XSS. I red some pages about XSS - including OWASP ones, and in view of my application characteristics, I decide to write a middleware that encode HTML entities - more precisely XML entities, including <>"' - of my request...

Can different subdomains of the same app prevent malicious attack like XSS?

security,xss,same-origin-policy
In my Rails app i have 2 subdomains, one : members.myapp.com which is the area shared between all members (where they can login and manage their accounts) Two : each member has its own website on a subdomain like this : member1.myapp.com, member2.myapp.com, member3.myapp.com etc... Let's imagine that user1.myapp.com run...

what is this usage of alert in javascript?

javascript,html,xss
Here is a xss code: <img src=x onerror="javascript:window.onerror=alert;throw 1"> I can't understand the usage of alert here. Why we don't need parentheses after the alert? And I can't understand the behavior of browser. The browser will pop up a box and dislplay Uncaught 1. It looks like that the browser...

Input special character in search string when handled at server side

javascript,html,regex,security,xss
I'm testing a project I'm working on. Here I've put a filter on server side(Java) to redirect the page to Error page whenever I encounter any HTML tag like regex(URL Encoded is also checked) in query string. As per my skill set, it's working fine. But I'm very much sure...

XSS and file_get_contents?

php,xss,file-get-contents
My url is like page.php?path=content/x/y/z/aaa.md. Is the following php code XSS-secure? include "Parsedown.php"; function path_purifier($path) { if(substr($path, 0, 8) !== "content/") return null; if (strpos($path,'..') !== false) return null; return "./" . $path; } $parsedown = new Parsedown(); $path = $_GET['path']; $path = path_purifier($path); echo $parsedown->text(file_get_contents($path)); Thanks for your attention...

ng-bind-html doesn't prevent cross site scripting

javascript,angularjs,xss
I used ng-bind-html in order to prevent cross site scripting, read about sanitize and found this discussion and another good discussion. Although, i did't work for me, can you please help me in figure out why? HTML: <p class="big-text" ng-bind-html="to_trusted(message)"> JS: $scope.to_trusted = function(html_code) { return $sce.trustAsHtml(html_code); }; when i'm...

Bootstrap XSS attack on Popovers

twitter-bootstrap,xss
I've read here that I can enable HTML in a popover, which can be a potential issue for XSS attacks. In my case popovers will contain nothing like forms or the like, but only text or links or tables or images. Can I use them safely without incurring in XSS...

Is the '&' character safe against xss attacks? [duplicate]

html,security,xss
This question already has an answer here: Cross Site Scripting (XSS): Do I need to escape the ampersand? 2 answers I wonder if the character & is safe to be output to a browser. In case '<' '>' '\'' '\"' '=' are all encoded, is there a possibility to...

safest way to take user input, put it on database, and the output it using php [closed]

php,codeigniter,xss,sanitization,input-sanitization
this is the most confusing part i encountered today, i'm using codeigniter, but it's xss filter doesn't seem to work properly as we expect, so we tried using htmlentities while saving the data into the database, but i read somewhere, we should never change/edit the user inputed data into database,...

XSS prevention and .innerHTML

javascript,encoding,xss,innerhtml
When I allow users to insert data as an argument to the JS innerHTML function like this: element.innerHTML = “User provided variable”; I understood that in order to prevent XSS, I have to HTML encode, and then JS encode the user input because the user could insert something like this:...

submitting form still risks from XSS

javascript,jsp,xss,getparameter
I am assigned to fix security issues on legacy code and I was given results from security scan: Poor Error Handling: Server Error Message ( 10932 ) Basically, when the scan tries to access with some weird code: www.mywebsite.com/myapp/jspPage.jsp?myVar=Approved%26rhppvar%3DRHPP1234 The server returns 500 error code, but I have page that...

XSS in angularjs app and web api 2

angularjs,xss,asp.net-web-api2,antixsslibrary
I have a web application. I am using Angularjs and Web Api2. I have a simple form where user can insert some free text that will be send via email to other people. The text is also saved on db and later can be shown in a web site page....

Yii2 : How to validate XSS (Cross Site Scripting) in form / model input?

validation,activerecord,yii,xss,yii2
Yii2 has support for XSS(cross-site-scripting ) validation of displayed data using the helper class\yii\helpers\HtmlPurifier, however this only validates and cleans up output code like this echo HtmlPurifier::process($html); How to validate input for XSS of input such that this data is not stored in the database itself ?...

Why does my XMLHttpRequest not allow XSS?

javascript,xmlhttprequest,client,cors,xss
I am writing a simple app to pull down news stories from the bbc rss feed at http://feeds.bbci.co.uk/news/rss.xml. It needs to run entirely on the client and not make use of jQuery, so JSONP is not a possible solution. I have been testing with IE on localhost and clicking the...

PHP Vulnerability (XSS, …) > When can user input/url injection actually do harm?

php,security,variables,xss,user-input
Hope this question is not too unspecific, so... My question is, when do I actually have to pay attention on how I handle vulnerable variables and when do I not. E.g. it's obviously insecure to use something like ... echo $_POST['username']; // insecure !!! in your template. $_GET and $_SERVER...

What's the origin of an embedded script?

security,web,cors,xss
Suppose I embed a piece of JavaScript from B site into a page from A site. Does the B script's origin change to A? ADD 1 Just quote some official document: From RFC 6454 - The Web Origin Concept. 3.1 TRUST The same-origin policy specifies trust by URI. For example,...

Fortify Cross Site Scripting in File

security,model-view-controller,xss,fortify
I have the below code in the controller. The parameters base64String, fileName are being sent from the browser. var fileContent = Convert.FromBase64String(base64String); return File(fileContent, contentType, fileName); How do I address the XSS threat here? The above code is based on a fix recommended here Kendo UI Grid Export to Excel...

ASP.NET MVC XSS Input Field strip HTML/Scripts or Sanitize

asp.net-mvc-4,xss,antixsslibrary
I'm using ASP.NET MVC AntiXssEncoder to prevent XSS for INPUT fields on Regeneration Form However, when on Update page user sees below: Input Test &lt;b&gt;abc&lt;/b&gt; What's the best practice for this scenario? 1. Sanitize or Remove all HTML and Script Tags Thanks....

shortcut to escaping to prevent XSS

php,html,xss
I've just discovered that my website (html/php) is vulnerable to XSS attacks. Is there any way to sanitize my data besides manually adding htmlspecialchars to each individual variable that I send to the webpage (and proably missing a few thereby leaving it still open to attack)?

Can XSS Be Used To Modify A Part Of My Website, One That Was Not Intended To Be Modified?

javascript,html,xss,flash-player
I am researching XSS, and all I can find so far is that ECMAScript can be used to 1) inject malicious code into let's say a profile page. (A page that is intended to be modified). Or 2) that HTML and ECMAScript can be used to modify the properties of...

In ASP.NET 4.5, how should I encode a string to be used as a JavaScript variable, to prevent XSS attacks

javascript,asp.net,xss,antixsslibrary
I know of several ways to do this, but they all have some downside. Is there an "accepted" way of doing it, that is considered the best? I used to use the Microsoft.Security.Application.AntiXss.JavaScriptEncode() which is great, but AntiXSS has been end-of-lifed because the encoder is now included in .NET as...

Newline characters disappear after uploading a txt to a server

javascript,d3.js,newline,xss,plaintext
Can't parse any data from a txt file (not a csv for a reason) when it's uploaded to a server because all the newline characters a apparently gone. d3.js parser that I'm using parseRows does not work properly without them. On a localserver everything seems to be fine. d3.text('fileName.txt', 'text/plain',...

Is there a direct way of appending text to a DOM element with jQuery?

javascript,jquery,xss
Is there a more direct way of writing the following in jQuery? var $b = $('b'); $b.text($b.text() + ', World!!'); <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"> </script> <b>Hello</b> This seams like something jQuery would have existing functionality for, as vanilla JavaScript can do it by direct access to the property. document.querySelector('b').innerText += ', World!!';...

How do I catch javascript code injection in URL using python?

javascript,python,html,url,xss
How do I detect malformed URLs, or URLs with javascript injected in them 'http://example.com/portal/image/user_male_portrait?img_id=755109&t=1372243875358"><script>setTimeout(function () {document.body.innerHTML = \'<img src="http://images.example.com:9191/public/rickroll.gif" style="display: block; width: 100%">\'; }, 100);</script><!--' 'http://example.com/portal/image/user_male_portrait?img_id=566203&t=1350313911834' The first URL is malicious while the second one is not. I want to be able to flag the...

Does HTML Encoding have any cons?

asp.net-mvc,razor,encoding,utf-8,xss
I develop a project on ASP.NET MVC framework. All files and charsets are in UTF-8. I'm using model bindings and in some of my models the display property includes some accented chars or single/double quotes. As Razor engine automatically encodes helpers (ie. DisplayNameFor) the accented chars and quotes are encoded....

Confused about protecting against XSS and which tools to use

asp.net-mvc,vb.net,razor,xss
VS2013, MVC, VB I'm asking this question now because much time has passed since most of the posts that I read about XSS protection. In the spirit of SO, my technical question is if someone can confirm that Microsoft's HtmlAgilityPack does not really do what AntiXSS does. I've read posts...

output data from database using htmlspecialchars() that has been filtered using filter_input()

php,security,mysqli,xss,htmlspecialchars
I have found from different blogs that it is strongly recommended to use htmlspecialchars() to output any data on screen to be safe from XSS Attack. I am using filter_input() to filter any data that comes from user before inserting into database. filter_input() convert special characters like ' to &#39;...

How does Tumblr implement their global navigation?

javascript,security,iframe,xss,tumblr
Every blog on Tumblr has these two buttons at the top right corner of the page: This global navigation is inside an iframe which points to tumblr.com. How does Tumblr implement this feature securely? Tumblr themes can contain untrusted scripts and tumblogs can run on a custom domain (i.e not...

Are cookies safe?

javascript,jquery,cookies,xss,jquery-cookie
I want to create a webpage which redirects a user if some cookies are previously set by my webpage. Like this: (I am using a jquery cookie plugin) // get cookies var email = $.cookie("email_addr"); var postcode = $.cookie("post_code"); if(email != undefined && postcode != undefined) { // insert cookies...

Why do browsers have Same-Origin policies when workarounds like JSONP and CORS exist?

ajax,security,jsonp,cors,xss
This question is kind of a duplicate of: Why same origin policy for XMLHttpRequest However, this answer isn't satisfactory because it doesn't address the fact that there are workarounds (as stated in the question). The answer only addresses security concerns related directly to the XMLHttpRequest but these problems are still...

Why doesn't this XSS attack work?

xss
I want to inject some XSS code into a site. The source code is like this: <span class="c_red">"aaa"</span> The word aaa is displayed on the screen. Then I injected some shellcode into the searchbox. The code I inputed is like this: </span><img src=* onerror=alert(1) /><span>" So, the result code is...

Spring MVC : Preventing Exceptions when binding model attribute

java,spring,spring-mvc,xss
In my model(s) I use Numeric data types like Long, Integer etc. When I do form post of them, but supply String, it outputs Exception stack trace, including like NumberFormatException. How can i properly wrap this so that UI does not see the exception stack trace ?

Is there any safe way to keep rest auth token on the client side for SPA?

rest,authentication,cookies,xss,token
If we get token from the rest server and use AuthorizationToken header in every request for authorization, we still need to keep it when the browser's page is closed. The only universal way to do it is to put the token to cookies. But in such way even if the...

DOM based XSS is possible in this example?

javascript,security,xss,ecmascript-6
I've been reading a bundle of documents about DOM based XSS but I still can't figure it out. Let's take a look at my example. var html = ` <a class="url" href="${untrustedURL}"> <img src="${untrustedSource}"> </a> <span class="name" data-value="${untrustedValue}">${untrustedText}</span> `; document.querySelector('#user').innerHTML = html; How can an attacker exploit the vulnerabilities of...

htmltextwriter and cross site scripting

asp.net,vb.net,webforms,xss,htmlwriter
Just a quick question I was asked to go through a vb app and fix all the places where cross site scripting could happen. I changed the <%= to <%: and everywhere they were putting together html in the code and injected a string I changed to server.htmlencode or server.urlencode...

HTML instead of URI encoding in regard to XSS?

html,encoding,uri,xss
I'm inserting untrusted data into a href attribute of an tag. Based on the OWASP XSS Prevention Cheat Sheet, I should URI encode the untrusted data before inserting it into the href attribute. But would HTML encoding also prevent XSS in this case? I know that it's an URI context...