Geek Answers Handbook

Is there any reason to disinfect user input to prevent them on their own?

If I have fields that will be displayed only to the user who enters them, is there any reason to clear them from cross-site scripting?

Edit: Therefore, consensus is clear that it should be sanitized. What I'm trying to understand why? If the only user who can ever view the script that they embed on the site is the user himself, then the only thing he can do is to execute the script itself, which he could already bypass without my site. What is a threat vector?

+7
xss
source share
5 answers

Theoretically: no. If you are sure that only they will ever see this page, then let them script whatever they want.

The problem is that there are many ways that they can get other people to view this page as you cannot control. They can even open a page on a college computer and make them look at it. This is undoubtedly an additional attack vector.

Example: pastebin without permanent storage; you publish, you get the result, that’s it. You can insert a script that quietly adds a "donate" button to link to your PayPal account. Put it on a people’s ample computer, hope that someone will donate ...

I agree that this is not the most shocking and realistic example. However, as soon as you need to protect your security solution with “maybe, but that doesn't sound so bad,” you know that you crossed a specific line.

Otherwise, I do not agree with answers like "I never trust user input." This statement is meaningless without context. The point is how to define user input, which was the whole question. Trust semantically? Syntactically? At what level; just the size? Correct HTML? A subset of Unicode characters? The answer depends on the situation. The bare web server "does not trust user input", but today many sites can be hacked because the boundaries of "user input" depend on your perspective.

Bottom line: do not let anyone influence your product if it is not clear to a sleepy, non-technical consumer what and who.

This excludes almost all JS and HTML from get-go.

PS: In my opinion, the OP is credible in order to ask this question in the first place. “Don't trust your users” is not the golden rule of software development. This is a bad rule of thumb because it is too destructive; this belittles the intricacies of determining the boundaries of acceptable interaction between your product and the outside world. This is like the end of a brainstorming session, while he should start alone.

At its core, software development is about creating a clear interface to and from your application. Everything in this interface is an Implementation, everything outside of it is Security. Creating a program does what you want so exciting that it easily forgets that it does nothing.

Depict the application you are trying to build as a beautiful image or photograph. With the software you are trying to bring this image closer. You use the specification as a sketch, so here, the more messy your specification is, the more blurry your sketch is. The contour of your ideal application is a thin razor, though! You are trying to recreate this image with code. Carefully you fill out the outline of your sketch. At the heart of everything is easy. Use wide brushes: a blurry sketch or not, this part clearly needs coloring. Along the edges it becomes thinner. This is when you realize that your sketch is not perfect. If you go too far, your program begins to do what you do not want, and some of them can be very bad.

When you see a blurry line, you can do two things: take a closer look at your perfect image and try to refine your sketch or just stop painting. If you do the latter, most likely you are not going too far. But at best, you will also make an approximation of your ideal program. And you could still accidentally cross the line! Just because you don’t know where it is.

You have my blessing when you look at this blurry line and try to redefine it. The closer you get to the edge, the more confident you are where it is, and the less likely you are to cross it.

In any case, in my opinion, this question was not one of the security issues, but one of the projects: what are the boundaries of your application and how does your implementation reflect them?

If "never trust user input" is the answer, your sketch is blurry.

(and if you disagree: what if the OP works for "testxsshere.com"? boom! check-mate.)

(someone needs to register testxsshere.com)

+4
source share

Just because you are not showing the field to someone does not mean that the potential Black Hat does not know that they are there. If you have a potential attack vector in your system, plug in the hole. It is difficult to explain to your employer why you did not do it if it was ever exploited.

+1
source share

I do not believe that this question was answered in full. He wants to see the XSS accuall attack if the user can attack himself. This is actually performed by a combination of CSRF and XSS.

With CSRF, you can make a user request with your payload. Therefore, if the user can attack himself with XSS, you can force him to attack himself (make him make a request with your XSS).

Quote from the Hackers Handbook Web App :

GENERAL MYTH:

"Not worried about this low-risk XSS error. The user can only use it to attack himself."

Even apparently low-risk vulnerabilities can, under appropriate circumstances, open the door to a devastating attack. Taking a comprehensive approach to security entails eliminating any known vulnerability, however minor it may seem. The authors even used XSS to place file browser dialogs or ActiveX controls in response to the page, which helped break out of the kiosk mode system tied to the target web application. Always assume that the attacker will be more inventive than you when developing ways to use small errors!

+1
source share

Yes , always sanitize user input:

  • Do not trust user input
  • It does not require much effort.

The key point is 1 .

0
source share

If the script or service in which the form submits the values ​​is accessible over the Internet, then anyone, anywhere, can write a script that will send the values ​​to it. So: yes , disinfect all data received.

The simplest web security model is pretty simple:

Do not trust your users

It is also worth referring to my answer in another post ( Steps to become convinced of web security ): Steps to finding security on the Internet .

I can’t believe that I answered without addressing the title question:

Is there any reason to sanitize user input to prevent them from scripting themselves?

You do not prevent the user from creating scripts at different sites, you protect your site (or, more importantly, the client site) from the victim of cross-site scripting. If you don’t close famous security holes because you don’t bother, it becomes very difficult to get a repeat business. Or good word of mouth advertising and recommendations from previous customers.

Think of it as protecting your client, think of it if it helps protect your business .

0
source share

More articles:


All Articles