javascript - Input special character in search string when handled at server side -
i'm testing project i'm working on. here i've put filter on server side(java) redirect page error page whenever encounter html tag regex(url encoded checked) in query string. per skill set, it's working fine. i'm sure it's not end. there must way still enter vector execute xss script.
examples : <hello> redirects error page
%3chello%3e
converts <hello> , redirected error page
%253chello%253e
converts %3chello%3e
& page works fine no html tag found.
- the approach you're trying black-list approach search bad characters (ie <, >) , redirect error page and\or encode it. wrong approach. should use white list of permitted characters , redirect error page if input contains non-permitted characters. 1 way enforce approach regular expressions:
^[a-za-z0-9]*$
or^[\s\w]*$
. adding both client validation , server validation keep safe , error-free (unless hacker tries bypass client validation in in case server validation stop him). if try guess attacker's method destined fail. - the right way encode user originated input prevent xss html encoding, not url encoding (not
%3chello%3e
,>hello<
). - if encode user input don't have redirect user error page examples gave , ones gave harmless
having said that, here example of xss without < , >: let's page receives picture file name , displays it, , not encode quote character:
https://contoso.com/displaypic?source=111.jpg <img src="111.jpg"></img>
if access url, have xss:
https://contoso.com/displaypic?source=a"+onerror="alert('xss') <img src="a" onerror="alert('xss')"></img>
Comments
Post a Comment