Preventing JavaScript Injection

S

Simon

Hi,

I have a site where users have been granted a lot of flexibility when it
comes to entries.
They cannot add any code as far as I can see that would harm the server, but
they could add JavaScript code that could be harmful to visitors, (or just
annoying).

So I want to prevent them from running bad scripts on the visitors of their
pages.

Scripts like...
What I was thinking of doing was
1) Send me an email when any user adds an entry with the word "<SCRIPT" in
it
2) Send me an email when any user adds an entry with the word "<EMBED" in it
3) Replace "location.replace(...)" with "/*location.replace*/(...)" to
prevent been redirected to another page on load.

Would point 1) and 2) ensure that I catch all the possible scripts, (or is
there another way of starting a script)?

What other code do you think I should 'monitor'?

Simon
 
V

VK

Simon said:
Hi,

I have a site where users have been granted a lot of flexibility when it
comes to entries.
They cannot add any code as far as I can see that would harm the server, but
they could add JavaScript code that could be harmful to visitors, (or just
annoying).

So I want to prevent them from running bad scripts on the visitors of their
pages.

Scripts like...
What I was thinking of doing was
1) Send me an email when any user adds an entry with the word "<SCRIPT" in
it
2) Send me an email when any user adds an entry with the word "<EMBED" in it
3) Replace "location.replace(...)" with "/*location.replace*/(...)" to
prevent been redirected to another page on load.

Would point 1) and 2) ensure that I catch all the possible scripts, (or is
there another way of starting a script)?

No they don't - this primitive defence was bypassed endless amount of
times.

See my post in the thread:
<http://groups.google.com/group/comp..._frm/thread/eb4dd17efe90f7be/9d0548937813dae7>

The only acceptable security you can get by allowing a pre-defined set
of pseudo-tags, rendered into real tags on server side. Like say
for bold, [em] for emphasis etc.

Also see the mentioned in the thread MyShere case at
<http://blog.outer-court.com/archive/2005-10-13-n73.html>

And at <http://namb.la/popular/tech.html> you can read the actual
hacker explanations how did he bypass the defence of the kind you are
thinking about (but thought to be way more "robust").
 
S

Simon

VK said:
No they don't - this primitive defence was bypassed endless amount of
times.

See my post in the thread:
<http://groups.google.com/group/comp..._frm/thread/eb4dd17efe90f7be/9d0548937813dae7>

The only acceptable security you can get by allowing a pre-defined set
of pseudo-tags, rendered into real tags on server side. Like say
for bold, [em] for emphasis etc.

Also see the mentioned in the thread MyShere case at
<http://blog.outer-court.com/archive/2005-10-13-n73.html>

And at <http://namb.la/popular/tech.html> you can read the actual
hacker explanations how did he bypass the defence of the kind you are
thinking about (but thought to be way more "robust").


Thanks for that, quite an interesting read indeed.

Thankfully, (sic), we are not as big as MySpace or MyShere, but it won't
hurt to follow some/all of their procedures.

In the meantime, I will also flag any entries that has more than 5 or 6 "{",
"(", ")" or "}" that might help a little.

Simon
 
L

Lasse Reichstein Nielsen

Simon said:
In the meantime, I will also flag any entries that has more than 5 or 6 "{",
"(", ")" or "}" that might help a little.

I like to make parenthesised comments, so I would be sure to hit that
limit fast :)

A whitelist is still the only way to be sure. If you publish the rules
you check for (as you just did :), it's fairly simple for a proficient
Javascript programmer to avoid it.

Inject this!

<div style='background-image:url(javascript:document.write("</body>"););">Sorry!</div>

<div onmouseover='location.href="http://mysluttysexsite.com/";'>
my entire message that looks plausible
</div>

They have respectively four and zero parentheses.

/L
 
V

VK

Lasse Reichstein Nielsen wrote:
<div onmouseover='location.href="http://mysluttysexsite.com/";'>
my entire message that looks plausible
</div>

They have respectively four and zero parentheses.

Hey, the server was down! :-( :-D

:-|
The OP's question is really out of regulations of c.l.j. That is the
famous "acceptable potential hackers" dilemma. Any system is vulnerable
by default to N amount of experienced hackers (a system vulnerable to 0
hackers cannot exist by thermodynamic laws). More robust the system -
lesser the N number. As hackers as human being cannot be fractional
(0.5 hacker cannot be), the system lims to Super System - Super Hacker
solution. So eventually the equation solves to one absolutely
unbreakable system and the only one person able to hack it. If such
person appears to be a law-obeying member of the socially the equation
will be solved by non-mathematical methods. Otherwise your only
solution is to decide what N% is acceptable for your current situation.
Every 2nd? No more than half? 1% of your visitors? For the last the
proposed measures are good enough.

P.S. Super Hacker theory is taken from the black hackers' bible, which
I never saw of course. Just rumors.
 
S

Simon

Lasse Reichstein Nielsen said:
I like to make parenthesised comments, so I would be sure to hit that
limit fast :)

A whitelist is still the only way to be sure. If you publish the rules
you check for (as you just did :), it's fairly simple for a proficient
Javascript programmer to avoid it.

Inject this!

<div
style='background-image:url(javascript:document.write("</body>"););">Sorry!</div>

<div onmouseover='location.href="http://mysluttysexsite.com/";'>
my entire message that looks plausible
</div>

They have respectively four and zero parentheses.


I am not saying that my system would be 100% full proof.
But currently I am rejecting any "javascript", (and thanks to VK I am now
rejecting broken Javascripts, (java\nscript).

I am also removing any onWhatever=....

And I am also removing all the "location.replace" and "location.href".

Over and above that I still think that monitoring entries that contain
suspicious chars, ({, (, ), }) will possibly help me in noticing possible
illegal patterns.

Further more I flag a user that "previews" messages with weird code, because
that usually tells me that they are indeed trying to do something strange.

Simon
 
S

Simon

VK said:
Lasse Reichstein Nielsen wrote:


Hey, the server was down! :-( :-D

:-|
The OP's question is really out of regulations of c.l.j. That is the
famous "acceptable potential hackers" dilemma. Any system is vulnerable
by default to N amount of experienced hackers (a system vulnerable to 0
hackers cannot exist by thermodynamic laws). More robust the system -
lesser the N number. As hackers as human being cannot be fractional
(0.5 hacker cannot be), the system lims to Super System - Super Hacker
solution. So eventually the equation solves to one absolutely
unbreakable system and the only one person able to hack it. If such
person appears to be a law-obeying member of the socially the equation
will be solved by non-mathematical methods. Otherwise your only
solution is to decide what N% is acceptable for your current situation.
Every 2nd? No more than half? 1% of your visitors? For the last the
proposed measures are good enough.

P.S. Super Hacker theory is taken from the black hackers' bible, which
I never saw of course. Just rumors.

I cannot agree more with you.
My code will not be 100% safe, it never will be safe as far as I can see it.

I also agree that pseudo-tags would be a better option by far.
Unfortunately other blog hosts do not offer such a system and to keep our
users happy, (and to keep making money :)), we have to bend some blatant
rules.
One of those rules is to allow html code.

Simon
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top