stackoom
  简体   繁体   中英

XSS with data coming from client but not saving in DB

 原文  2015-02-02 17:04:17       javascript/ xss

Question

Maybe it's simple question but I would like to discuss it with other specialists.

The problem.
User submits some form (for example post new thread at forum). His browser send data to web application, web application purifies data from js code and saves it to DB. That's ok.

Another case - user submits data to web application but he makes some error in data and the web application returns its data (without saving it to DB), put them in form (in order user not to fulfill all again) and displayes message error.

The question.
I've read somewhere that the following attack can be done - user follow some link (foreign link) that redirects to our site and sends with it data with js. So the question - should we purify data in second case?

2 answers

solution1
 0  2015-02-02 17:20:53

All you have to do is to submit the form by AJAX. 

$("#myForm").ajaxForm({url: 'server.php', type: 'post'})

or 

$("#myForm").ajaxSubmit({url: 'server.php', type: 'post'})

If the data was:

  • correct you return the URL to redirect.
  • invalid, you return the errors to display.

No need for additional functionality like "purify data".

solution2
 0  2015-02-03 12:06:28

Do you mean a CSRF attack (Cross Site Request Forgery)?

This is where if your site has a form, say it is example.com : 

<form method="post" action="/postThread.php">

an attacker could include a similar form on their website: 

<form method="post" action="https://example.com/postThread.php">

and entice the victim to visit their site whilst they are also logged into example.com .

They could include some JavaScript to submit their form (either by submitting the HTML form, possibly loaded in an IFrame or by AJAX). The end result is that the thread would be started on your site by the attacker, under the identity of the victim, as the victim's cookies would be submitted with the POST.

A quick way to defend against this is to set and check the X-Requested-With header if all your POSTs are done via AJAX. If not, you may want to look into the OWASP recommended Synchronizer Token Pattern .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to safely XSS encode untrusted data coming from PHP through AJAX injected into the DOM via javascript? mongodb having multiple conditions for $nin and data coming from the client Dictionary object not being initialized with data coming from client How to pass data from a Node/Express server to the client (JavaScript) while allowing sanitized HTML but preventing XSS? Saving data lat/lng into db from google maps api? Saving data from DB and then using it in body for API in cypress Unescapping client data in C# to prevent XSS or other attack Is it an XSS vulnerability to assign JavaScript variables with untrusted data on the client side? Saving data to DB with AngularJS and PHP Server data coming through as [Object object] on client
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM