XSS (Cross-Site Scripting)

By | November 12, 2015

Cross-Site Scripting (XSS) is a security gap, which appears when an attacker executes HTML, JavaScript, VBScript code in your application. As a result, the attacker can steal session cookies, passwords or crash the page. XSS is one of the most serious and common attacks of WEB applications. Protection from XSS attacks is especially important for external pages, as in internal pages only a limited number of users have access (but they are still at risk).

Example (vulnerable):

Apex controller:

VP Page:

As a result, the JavaScript code is executed and obtains information about a certain cookie. The variable strXSS can contain anything and therefore cause irreversible damage.

In order to avoid such a danger, characters need to be encoded. For example if the variable ‘strXSS’ is used in the context of HTML  then the characters ‘<’ and ’>’ are equivalent to ‘&lt;’ and ’&gt;’ accordingly. In the context of Javascript these characters are equivalent to ‘\u003C’ and ’\u003E’ (link).

The Salesforce platform provides the following VisualForce encoding functions:

  • JSENCODE — performs string encoding within a Javascript string context
  • HTMLENCODE — encodes every character with the corresponding HTML character to avoid interpretation of characters as markup.
  • URLENCODE — performs URI encoding (% style encoding) within a URL component context
  • JSINHTMLENCODE — a convenient method that is equivalent to the composition of HTMLENCODE(JSENCODE(x)).

You find more information here: link.

Example of encoding some characters: XSS

Example (Safe):

Controller:

Visualforce:

Example (vulnerable):

Let’s suppose that we want to show the following string in italic:

We decide to write it like this:

In the component <apex:outputText>  we set up the attribute escape=false  and exactly this makes the output vulnerable.

Note: Salesforce makes sure to reduce these vulnerabilities, so pages that are built with Apex and VisualForce are protected against XSS and sets by default escape="true"  in the components, which can execute JavaScript.

Controller:

VF Page:

As a result, only the word «Hello» will be italic and the JavaScript code is executed, which displays a pop-up message (‘alert’ command).

To protect this component we need to use HTMLENCODE.

Example (Safe):

Controller:

Visualforce:

As a result, the screen displays the following text in italics:

Hello  ‘<script>  alert(1); </script>

XSS vulnerability applies also to the URL For safety reasons, you need to use URLENCODE.

Here you find more details about testing XSS: link

Leave a Reply

Your email address will not be published. Required fields are marked *