You need to sign in to do that
Don't have an account?
Shephali Swarnkar
Hi All,
I have got Reflected XSS Vulnerabilities for my App.Mentioned lines in report are:
Reproduction steps:
1.Login to the native application
2.Navigate to the respective tab
3.Select user from drop down list,Intercept the request
4.Apply attack value in mention parameter name.
I am unable to find out that where and what needs to be changed.
Note : In the above mentioned page we used to select the user from drop down list and get the details of task assigned to that user.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Upto My understanding i may got this XSS issue because i have used following apex code to get the details of user tasklist:
<apex:pageBlock title="Details" id="block1">
<apex:detail subject="{!$CurrentPage.parameters.UserInput}" relatedList="false"/>
</apex:pageBlock>
But at the same time when i browse this link https://developer.salesforce.com/page/Secure_Coding_Cross_Site_Scripting#Apex_and_Visualforce_Applications
i found
<apex:outputText>
{!$CurrentPage.parameters.userInput} <!-- safe (auto HTML Encoded) -->
</apex:outputText>
Question : If this is not vulnerable to XSS then why did i got this reflected XSS for my App.
Need Help to find out exact vulnerable code and soluttion for that.
Thanks
How to Mitigate Reflected XSS
Hi All,
I have got Reflected XSS Vulnerabilities for my App.Mentioned lines in report are:
Reproduction steps:
1.Login to the native application
2.Navigate to the respective tab
3.Select user from drop down list,Intercept the request
4.Apply attack value in mention parameter name.
I am unable to find out that where and what needs to be changed.
Note : In the above mentioned page we used to select the user from drop down list and get the details of task assigned to that user.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Upto My understanding i may got this XSS issue because i have used following apex code to get the details of user tasklist:
<apex:pageBlock title="Details" id="block1">
<apex:detail subject="{!$CurrentPage.parameters.UserInput}" relatedList="false"/>
</apex:pageBlock>
But at the same time when i browse this link https://developer.salesforce.com/page/Secure_Coding_Cross_Site_Scripting#Apex_and_Visualforce_Applications
i found
<apex:outputText>
{!$CurrentPage.parameters.userInput} <!-- safe (auto HTML Encoded) -->
</apex:outputText>
Question : If this is not vulnerable to XSS then why did i got this reflected XSS for my App.
Need Help to find out exact vulnerable code and soluttion for that.
Thanks
Hi James,
Thanks for your reply.
Can you please explain with example that how to sanitize the input and do we need sanitize the input only when we use Merge fields.
As following :
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
eg1. <apex:commandlink value="{!t.Owner.Name}" rerender="block1">
code after sanitize the input:
<apex:commandlink value="{!JSENCODE(HTMLENCODE(t.Owner.Name)}" rerender="block1"> //please Correct if wrong.
I think i dont need JSENCODE here as i am not using any java script.
what About other inputs for example : <apex:selectList size="1" value="{!SelectedOwnerId}">
Should i encode this too as this is where enduser will select the values from dropdown list?????
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
eg2. Encoding for above mentioned code.
<apex:pageBlock title="Details" id="block1">
<apex:detail subject="{!$CurrentPage.parameters.UserInput}" relatedList="false"/>
</apex:pageBlock>
Code After Sanitize the input
<apex:pageBlock title="Details" id="block1">
<apex:detail subject="{!HTMLENCODE($CurrentPage.parameters.UserInput)}" relatedList="false"/>
</apex:pageBlock>
Thanks