javascript - Input special character in search string when handled at server side -


i'm testing project i'm working on. here i've put filter on server side(java) redirect page error page whenever encounter html tag regex(url encoded checked) in query string. per skill set, it's working fine. i'm sure it's not end. there must way still enter vector execute xss script.

examples : <hello> redirects error page
%3chello%3e converts <hello> , redirected error page
%253chello%253e converts %3chello%3e & page works fine no html tag found.

  1. the approach you're trying black-list approach search bad characters (ie <, >) , redirect error page and\or encode it. wrong approach. should use white list of permitted characters , redirect error page if input contains non-permitted characters. 1 way enforce approach regular expressions: ^[a-za-z0-9]*$ or ^[\s\w]*$. adding both client validation , server validation keep safe , error-free (unless hacker tries bypass client validation in in case server validation stop him). if try guess attacker's method destined fail.
  2. the right way encode user originated input prevent xss html encoding, not url encoding (not %3chello%3e, &gt;hello&lt;).
  3. if encode user input don't have redirect user error page examples gave , ones gave harmless
  4. having said that, here example of xss without < , >: let's page receives picture file name , displays it, , not encode quote character:

    https://contoso.com/displaypic?source=111.jpg  <img src="111.jpg"></img> 

    if access url, have xss:

    https://contoso.com/displaypic?source=a"+onerror="alert('xss')  <img src="a" onerror="alert('xss')"></img> 

Comments

Popular posts from this blog

jquery - How do you format the date used in the popover widget title of FullCalendar? -

asp.net mvc - SSO between MVCForum and Umbraco7 -

Python Tkinter keyboard using bind -