CodeStore.net comments on "Hacking Domino: How to Filter Out XSS Attacks"

Reply from Debbie S.

Debbie S. — Fri, 20 May 2011 07:54:36 -0500

I'm searching for resolutions to the ever present threat of XSS and have read this post. An additional "booger" is when you have users that want to include angle brackets, especially with financial data or any other where comparison is made. For example, "probably of this aware is < 100%, but >= 80%. Please advise."

This is a common type comment made in one of our cost type applications. Unless the field is HTML, the < conversion won't work - it will take the literal '<' and display.

Add the dual complexity of storing data and then in a view or elsewhere hyperlinking part of that data for a clickable URL to open it or whatever. I would love to hear what the latest goings on are for this.

Reply from Jake Howlett

Jake Howlett — Tue, 10 Aug 2010 09:12:14 -0500

@Trevini. See the code example in the DEXT database which you can download from the Sandbox link above.

Reply from Triveni Ganta

Triveni Ganta — Tue, 10 Aug 2010 08:27:32 -0500

Hello Jake ,

Did u worked on how we can fix the XSS for domino ,if so can u please share the database to me

@trivenigk@gmail.com

thanks

Triveni

Reply from Howard Jacob

Howard Jacob — Mon, 26 Jul 2010 03:53:18 -0500

Hi all,

I urgently need a xss filter in java library format for one of my projects. What do you recommend?

In addition, is there any non-opensource type of xss filter which I can subscribe for service support?

Thanks in advance.

Reply from Colin Law

Colin Law — Mon, 12 Jul 2010 08:24:18 -0500

Hi Jake,

As you can see it's been some time since I have been back to your site. Please send me an email if you can and let me know what resources you have avail. for XSS. We have tried several things over the months including add-on software to no avail.

Thanks.

Reply from Jake Howlett

Jake Howlett — Tue, 20 Oct 2009 00:58:06 -0500

I have just the Java agent you're looking for Colin. Drop me a line via the "Contact Us" link at the bottom and we can discuss.

Reply from Colin

Colin — Mon, 19 Oct 2009 15:59:28 -0500

Hi All,

We recently did an appscan as part of the security process at work and found a number of cross site scripting issues with our apps. Has anyone developed a strategy to reolve this issue within domino???

Java agent or some type of coding method that does not require input validation on every field....

Thanks,

Colin

Reply from Jake Howlett

Jake Howlett — Wed, 15 Oct 2008 07:33:15 -0500

That's all very well madwhite but only works on fields where you don't want any HTML.What about fields where you do want to allow HTML to be entered? That's what I'm trying to deal with here with the tag whitelist.

Reply from madwhite hatter

madwhite hatter — Tue, 14 Oct 2008 14:20:05 -0500

I am using this simple bit of code, though it probaby needs more.

Public Function HTMLEncodeXSS(dirtyString As String) As String

Dim cleanString As Variant

Dim vOriginal(0) As String

Dim vFind(6) As String

Dim vReplace(6) As String

' scrub xss vulnerabilites

vOriginal(0) = dirtyString

vFind(0) = {<}

vFind(1) = {>}

vFind(2) = {%3c}

vFind(3) = {%3e}

vFind(4) = {"}

vFind(5) = {'}

vFind(6) = {\}

vReplace(0) = {<}

vReplace(1) = {>}

vReplace(2) = {<}

vReplace(3) = {>}

vReplace(4) = {";}

vReplace(5) = {'}

vReplace(6) = {\}

cleanString = Replace(vOriginal, vFind, vReplace)

HTMLEncodeXSS = cleanString(0)

End Function

Reply from A De

A De — Thu, 09 Oct 2008 21:32:42 -0500

I've used the htmlawed PHP filter for XSS checks; it allows mixed white- and black-list approaches.

See bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php and bioinformatics.org/phplabware/internal_utilities/htmLawed/rsnake/RSnakeXSSTest.htm

Reply from Per Henrik Lausten

Per Henrik Lausten — Sat, 27 Sep 2008 13:18:43 -0500

Jake, great work (as usual). I was looking for practical examples some time last year and did not really find anything useful. I needed the examples for a Domino web site with potential XSS vulnerabilities.

Reply from Jake Howlett

Jake Howlett — Fri, 26 Sep 2008 14:17:25 -0500

Devin. Glad you like it. I agree the whitelist approach is best.

mdmalph. According to the list at Link it "works" in IE7 too.

Reply from mdmadph

mdmadph — Fri, 26 Sep 2008 13:55:59 -0500

That one XSS attack you mention that works in the "style" param in IE -- is that just IE6? Or is IE7 afflicted, too?

Reply from Akash D.

Akash D. — Fri, 26 Sep 2008 11:56:57 -0500

Will you run into same issue if the login page is from Juniper and then Juniper can authenticate with Domino?

We use Juniper for external client authentication, juniper in turn will authenticate with domino server. Login in successfully the user is directed to home page.

Thanks

Akash

Reply from Devin Olson

Devin Olson — Fri, 26 Sep 2008 11:54:34 -0500

Hey there Jake. I've followed this entire series (lurk mode); and I've very much enjoyed it.

I was doing some testing, and even simple things like onmouseover="my malicious script" can get through without careful checking.

For normal (where HTML is not allowed) fields, the following input translation formula works very well:

@ReplaceSubstring(@Trim(@ThisValue); "<":">"; "<":">");

For fields where HTML IS allowed, I think the blacklist approach would ultimately prove unworkable. I think a whitelist approach is a much better idea.

Anyway, thanks for posting this very helpful series!

-Devin.