1. Welcome to Game Makers Forums

    Whether you are a new, amateur or professional developer, you will find your place here.

    Register to Download Sample Code or Advertise your Project.

    Register also gives you the ability to be helped or help others:

    Dismiss Notice

Fun discussion with a co-worker

Discussion in 'Security' started by a_bertrand, Sep 29, 2016.

  1. a_bertrand

    a_bertrand Administrator

    Joined:
    Oct 28, 2014
    Messages:
    1,264
    Likes Received:
    562
    Trophy Points:
    113
    Gender:
    Male
    Today I want to share a fun discussion I had. Basically I tried to explain why you need not only to check out what the users type but what you will display to avoid XSS attack. Of course you could simply check what comes in from the users on the server side and ensure nothing bad happen, but as I develop more and more SAP (Single Page Applications) it does make sense to check it on multiple places even just before displaying (therefore doing some escaping in JS).

    The issue is the following:
    1. Somebody types in some text for example <span onmouseover='alert(1)'>hello</span>
    2. This text will be sent to your server and then shared across multiple visitors
    3. The visitor get the text from the server and displays it ( $("#myDiv").html(receivedText) for example)
    Ooopps... you are actually adding some JS there! That's called XSS

    Now XSS should be something we all know, and avoid somehow. However you would think that if you check what the people type in your JS, then send it to your server, and then display it as is it should be safe... Well NO! As somebody could still call your server without going through your JS or bypass the check via the javascript debugger tools and send nasty stuff.

    Therefore ideally check when you receive it on the server, and maybe escape it too when you display it (just to be sure).

    Another point which could be tricky but should not affect many of you, what if your interface allows to change the CSS? For example let somebody change the color of the background or whatever? Well, you would say, I check that what the user type is a number, send it to my database (as string just to make things less secure) and then add it in my CSS as is. NO! Again this could potentially be another source of attacks! Again when you produce the CSS (being on the server side or the client side) ensure that nothing nasty has been added. Specially if the CSS is just added in the header and not as separated document.

    Yes the WEB is a wild zone, and if you are not careful you may risk to be hacked in no time. It's a shame but it's like that.
     
    • Informative Informative x 2
    • Like Like x 1
  2. spudinski

    spudinski Active Member

    Joined:
    Dec 21, 2014
    Messages:
    328
    Likes Received:
    127
    Trophy Points:
    43
    Gender:
    Male
    • Like Like x 1

Share This Page