viagra og lykkepiller viagra tableta nexium 10mg pret prednisone 10 mg reviews glucophage 750 mg buspar uses anxiety viagra canadian pharacies generic valtrex complaints wellbutrin douleurs musculaires buspar for elderly where to buy online usa sale cialis husbands hiding viagra lexapro buy pricing prescription viagra without script lisinopril drug class levitra 5 mg erfahrung cheap clomid 50 mg doxycycline monohydrate prices levitra canada price order nolvadex forum discount drugs of canada costco cialis price augmentin 600 mg levitra 10 mg effetto nexium 40 mg fiyati obat lisinopril 5 mg obsidan 25 mg propranolol buy cialis bangkok viagra generics herbal about levitra drug bactrim ds prices propranolol online apotheke prices at costco prednisone 5mg dosage zithromax 1000 mg iv lexapro dizziness nausea buy pills in the us colombia buying viagra prednisone cause urination buy lisinopril canada benazepril plus hydrochlorothiazide viagra canadian women viagra wholesalers china generic zoloft diarrhea is a prescription drug zusammensetzung von augmentin viagra recreational drug cialis 10 mg or 20 buy hong kong tacrolimus erythromycin online female viagra cytotec drug facts viagra white tablet 100 clomid forgot pill http://www.bofix.at/index.php/Pharm247-metformin-and-temsirolimus.php nolvadex pill appearance viagra generetic 25 mg lexapro 10mg information 5 mg dose lexapro buspar grinding teeth cheap 10 viagra can you take daily strattera no prescription clomid male use http://www.bofix.at/index.php/Pharm247-zovirax-tabletten-400-mg.php generic viagra brisbane metformin er tabs levitra reviews uk zovirax suspension prospecto posologia augmentin bustine cipro 750 mg siprofloksasin viagra 100mg last generico lexapro 10 mg canadian discount viagra cialis xenical pills singapore cialis pill half indian viagra dangerous with no subscription metformin winthrop 850 mg strattera 25 uk propranolol online apotheke erectile drug cialis cialis united pharmacy viagra, cialis uk zoloft antidepressant drug hydrochlorothiazide discussions mexico viagra online levitra de 40 mg pill synthroid 88 consecuencias usar cytotec viagra proper use viagra 150 mg resmi 80 mg cialis reviews zovirax uso orale vente viagra canada where to buy propecia finasteride online order cialis boots cheap 10 viagra nexium 40mg price generico viagra 100mg cialis samples canada glucophage sr 100mg cialis prodaja online india viagra pills prednisone 0.5 mg kg reliable cialis generic internetten viagra getirtmek customs viagra the drug nexium herbal viagra uk bactrim cost viagra sil kaufen viagra 50 mg tab buspar dosage effective buspar causes hostility atacand plus viagra lexapro causing tremors strattera drug program regles sous clomid http://www.bofix.at/index.php/Pharm247-levitra-20-mg-directions.php drug classification diflucan yahoo buy viagra viagra cialis 200mg dosage zovirax tablets strattera 25 mg prospect blue nolvadex pills erythromycin 500 mg packungsbeilage 80 mg prozac wellbutrin viagra discount prices can you get buy genuine propecia cialis 2.5 chemist warehouse towards metformin prodrugs preisvergleich levitra 20 mg substitute 5 mg cialis clomid customs zithromax suspension strengths viagra australia quick where can i buy it levitra 10mg sale buyers of canada metformin atid 500mg lexapro generic oval buspar 20mg celebrex pfizer pharma tetracycline suspension compound pfizer sildenafil viagra 2013 glucophage sr 100mg generic viagra daily to buy in the uk without a prescription teva hydrochlorothiazide 25mg Free Delivery! prednisone tabs dogs 40 tablet prednisone directions quick buy viagra cialis buy malaysia levitra 20 mg brand cheapest price efek doxycycline 100 mg xenical drug class buy lasix canadian lisinopril cause miscarriage nexium tablets ireland
Home Forum Download/Upload Links Search

NetTalk User Group

NetTalk User Group Meeting!
Live Webinar!
Saturday Nov. 16 
7am PST
Click Here To Register!
Home arrow Forum arrow NetTalk Web Serverarrow Web Server - Share Knowledgearrow Security: HTML Injection / XSS attacks.
NetTalk Central
April 26, 2015, 07:39:42 AM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: Welcome to the NetTalk Central Forums!
 
   Home   Help Search Login Register  
Pages: [1]
  Print  
Author Topic: Security: HTML Injection / XSS attacks.  (Read 2278 times)
Bruce
Global Moderator
Hero Member
*****
Posts: 7426



View Profile
« on: August 16, 2012, 02:01:09 AM »

HTML Injection is a security issue which occurs when you let users enter "html" content. So, for example, if you have a text control on a form, and Allow xHTML is on, then you're allowing the user to enter HTML and content, and then you will display that content using their HTML markup.

Unfortunately HTML is not limited to visual markup though. It includes things like the <script> tag, which allow code to be embedded inside the content. When unwanted html appears in user content, that is called HTML Injection. If the code they inject is JavaScript then that is the start of a "Cross Site Scripting" (XSS) attack.

If this code runs on _another_ users browser (no code runs on the server), then the attacker may be able to get information from them, or their computer in a way that the programmer did not expect, or intend.

In short, "cosmetics good, code bad."

For builds of NetTalk before 6.40 it was the responsibility of the developer (you) to make sure that anywhere you ticked on "allow xHtml", you checked that the xHtml you were displaying was "safe". However that's hard to do.

Scrubbing html of code is tricky because there are a large number of vectors that can be used. the <script> tag is not hard to remove, but it's the tip of the iceberg. So, to make it a bit easier, and ultimately more secure, from build 6.40, NetTalk has automatic scrubbing built in.

NetTalk uses a whitelist approach, accepting html it specifically recognizes as valid, and rejecting unrecognized html. This makes it more secure (because "new attacks" generally fall into the "unrecognized" camp.) The alternative (searching for specific bad code) may require updating regularly as new attack vectors are discovered.

In other words, some perfectly legitimate html tags are "blanket excluded" simply because they allow the user too much power. The legal tags excluded in this way are;

Excluded (by design):
base, body, button, canvas, comments, command, datalist, embed, eventsource, frameset, frame, form, head, html, iframe, input, keygen, link, menu, meta, nav, object, optgroup, option, param, script, select, style & textarea

In other words, content stored in your database, which will be displayed via a browse or form or whatever, will not be allowed to contain these tags.

Let me be 100% clear here. This does not affect the xHTML tab (where you can enter your own custom xHtml). It does not affect the html being generated by the templates. It only applies to html which is being read from the database - ie those places where you have explicitly ticked on "Allow xHTML".

The downside with this approach is that some "legitimate" HTML is not allowed. For example, the Hyperlinks example has a browse (BrowseMedia) which included HTML  (youtube videos) containing <iframe> and <object>. Since those are both on the "not allowed" list, they are (by default) no longer playable. This may affect your application if you currently have very rich HTML content stored in your database.

So an extra switch has been added to the template wherever an "Allow xHTML" option is located, there's now also an option to "Allow UNSAFE xHtml". This puts the onus back on you to scrub the HTML in an appropriate way.
But wait, there's more...

You may want to change the list of tags that are allowed, either by adding more allowable tags, or by disallowing some tags which are allowed by default. In this way you can adjust the level of safety, without having to go to a completely unsafe mode. To do this you can embed code in the .TagOk method in the WebServer procedure. for example;

case lower(p_tag)
of 'object'
  return true
end


Embedding this before the parent call, would make the <object> tag allowable.

As always, security remains a process, not a destination, so remaining up to date (or reasonably up to date) with NetTalk builds is always recommended.
Logged
Niels Larsen
Full Member
***
Posts: 187


View Profile Email
« Reply #1 on: August 16, 2012, 07:06:28 AM »

I've never thought of that. Nice to have "someone" to do the hard work for you.
Thanks!!
Logged
RayA
Newbie
*
Posts: 43


View Profile WWW Email
« Reply #2 on: August 16, 2012, 01:00:15 PM »

 Grin

This is why we pay Bruce the BIG BUCKS!

Great Post Bruce!  Very informative!

 Grin

« Last Edit: August 16, 2012, 01:02:24 PM by RayA » Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com
Valid XHTML 1.0! Valid CSS!

Login Form

Welcome Guest.






Lost Password?
No account yet? Register
home contact search contact search