/    Sign up×
Community /Pin to ProfileBookmark

Validating malicious javascript

Copy linkTweet thisAlerts:
Nov 15.2006

Hi All,

I have a need to create a web application which allows the user to design a web page using a web based [COLOR=DarkRed]wysiwyg [/COLOR] editor. I also need to allow the user as much freedom as possible to design just what they require. The nearest example of this are the ‘Sell’ pages on EBay where you can enter a description of your item along with javascript, applets and of course HTML.

If you type [COLOR=SeaGreen]<script…>alert(“Hello”)</script>[/COLOR] tag in the EBay description and click the “Save and Continue” button, your html will be rendered and displayed, and the “Hello” alert will appear. If you type [COLOR=SeaGreen]location.href=(“<url>”)[/COLOR], it will attempt to go to that page, but EBay will somehow block the request after a few clicking sounds.

My plan is to allow the user to enter anything they want, but on submission of the page I want to search for any potentially malicious Javascript commands and if they are found, then I will not allow the HTML to be saved. Javascript isn’t my area of expertize (I am a DBA really), so I need to know what javascript keywords I should look for ([COLOR=SeaGreen]location.href [/COLOR] and [COLOR=SeaGreen]alert [/COLOR] are two I know of) to mitigate against the possibility of being hacked (cross-site scripting, for example) or the page misused.

In addition to the keywords I require, any other comments opinions would be very welcome.

Kind regards,

Martin

to post a comment
JavaScript

3 Comments(s)

Copy linkTweet thisAlerts:
@scragarNov 15.2006 — hmn...

I would advise against trying to write such a thing, as of course the main problems being either infinite loops([b]while(true){alert("ha-ha, you can't escape me");};[/b]) or such(things that are actually hard to pick up on).

and to add insult to injury even if you wrote such a script to pick up on it I could simply encrypt it and decrypt it at a time of my choice.

it might be better if you made a list of things you want the user to be able to do and you restrict the javascript to that and that alone.
Copy linkTweet thisAlerts:
@A1ien51Nov 15.2006 — All of the checking should be done on the server. I do not have to use your form to submit it to the server.

Look at my talk here (it is a zip): http://www.pascarello.com/presentation/owasp/

Eric
Copy linkTweet thisAlerts:
@webtekkieauthorNov 16.2006 — Thank you both for your comments.

Alien, the checking will indeed be done on the server.

I understand that it is inadvisable to put a system like this into production; I also would recommend against it under most circumstances. However, this interface is central to the application, and I can't let the possibility of users hacking misusing the page stop the project - I just have to take every possible step to reduce the chances of it happening. The user would have had to provide a valid email address, and part with some money in order to get to this page, so the chances of them misusing the page are already reduced.

If I have to check each and every submission that contains a <script> tag after it has been submitted, then that's what I will do. However, the fact remains that I would like to trap the most common potentially malicious keywords and prevent submission if the html contains them (or email me to prompt me to check the submission).

the 'while' keyword is a useful one for the list, Scragar, and I would be grateful for any others you can come up with.

Regards,

Martin
×

Success!

Help @webtekkie spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.16,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...