Penetration test findings - disallow special characters in insert/update behaviors
Hi Ray, our client recently had a pen test carried out and they've sent me the report, which I'm working my way through. One thing that was picked up was the ability to insert malicious Javascript code in standard form fields (such as those for a Name) - this is what the report says:
"It was observed that most fields where user input is accepted by the web application, content filtering was in place and unwanted characters were being encoded appropriately. However, it was seen that such filtering was not properly implemented for a user’s first and last name in their profile. As a result, it was possible to insert malicious JavaScript into these fields that would execute every time the user visited their My Account page (screenshot of example attached)."
I've added a Restricted Content server validation behavior to the Name field to disallow characters such as <>{}(); but before I go through the entire site and update every standard text form field in the same way (there are a lot!), can I just check if this is actually necessary? I've seen numerous posts on the forums regarding sql injection and I note that you say if standard server behaviors are used sql injection isn't possible - not sure if malicious javascript is the same though. I've also seen on a few other forums that it's not a good idea to validate name fields (although the characters I've disallowed shouldn't cause any problems). What are your thoughts?