close ad
 
Important WebAssist Announcement
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Penetration test findings - disallow special characters in insert/update behaviors

Thread began 4/09/2022 9:56 am by Mags | Last modified 4/12/2022 4:41 pm by Ray Borduin | 394 views | 13 replies |

Mags

Penetration test findings - disallow special characters in insert/update behaviors

Hi Ray, our client recently had a pen test carried out and they've sent me the report, which I'm working my way through. One thing that was picked up was the ability to insert malicious Javascript code in standard form fields (such as those for a Name) - this is what the report says:

"It was observed that most fields where user input is accepted by the web application, content filtering was in place and unwanted characters were being encoded appropriately. However, it was seen that such filtering was not properly implemented for a user’s first and last name in their profile. As a result, it was possible to insert malicious JavaScript into these fields that would execute every time the user visited their My Account page (screenshot of example attached)."

I've added a Restricted Content server validation behavior to the Name field to disallow characters such as <>{}(); but before I go through the entire site and update every standard text form field in the same way (there are a lot!), can I just check if this is actually necessary? I've seen numerous posts on the forums regarding sql injection and I note that you say if standard server behaviors are used sql injection isn't possible - not sure if malicious javascript is the same though. I've also seen on a few other forums that it's not a good idea to validate name fields (although the characters I've disallowed shouldn't cause any problems). What are your thoughts?

Sign in to reply to this post

Ray BorduinWebAssist

Can I see a copy of the my account page? Are you using MySQLi? It should have automatic protection from this happening.

Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

Glad to see I'm not the only one working on a Saturday! Yes, it's MySQLi. Page is attached - the only update I've made since they checked it is to add a restricted content validation on the Name and Firm fields.

Sign in to reply to this post

Ray BorduinWebAssist

That is odd. Can I get FTP access and a URL to reproduce it? I'll be able to track it down that way, but it looks like the code is right and should be protected automatically.

Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

Yes of course, details in PM.

Sign in to reply to this post

Ray BorduinWebAssist

I can't seem to get in with that FTP information. Does it have IP restrictions that might be keeping me out?

Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

That's odd, it's not too long since you last accessed it. Are you using SFTP, port 2020? If you could give me your IP I can ask my client to add it to the whitelist on the Cloudflare server, although not sure how quickly he'll be able to do it - might be tomorrow.

Sign in to reply to this post

Ray BorduinWebAssist

I was able to get FTP working with Dreamweaver. It didn't work with Filezilla. Can I get a url to reproduce the issue? I'll take a look.

Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

Details in PM.

Sign in to reply to this post

Ray BorduinWebAssist

I see the issue. The problem stems from you using a session variable that is set on the login page from the database and displaying it.

The values set from the login page aren't encoded by default like values displayed from the recordset are. I think the best solution would be to just add the encoding when the value is displayed. So on line 170 of my-account.php instead of:

echo $arr[0];

use:

echo htmlspecialchars($arr[0]);

Sign in to reply to this post
Did this help? Tips are appreciated...
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...