Preventing JavaScript Injection

Simon wrote:

Hi,

I have a site where users have been granted a lot of flexibility when it
comes to entries.
They cannot add any code as far as I can see that would harm the server, but
they could add JavaScript code that could be harmful to visitors, (or just
annoying).

So I want to prevent them from running bad scripts on the visitors of their
pages.

Scripts like...
What I was thinking of doing was
1) Send me an email when any user adds an entry with the word "<SCRIPT" in
it
2) Send me an email when any user adds an entry with the word "<EMBED" in it
3) Replace "location.replace(...)" with "/*location.replace*/(...)" to
prevent been redirected to another page on load.

Would point 1) and 2) ensure that I catch all the possible scripts, (or is
there another way of starting a script)?

No they don't - this primitive defence was bypassed endless amount of
times.

See my post in the thread:
<http://groups.google.com/group/comp.lang.javascript/browse_frm/thread/eb4dd17efe90f7be/9d0548937813dae7>

The only acceptable security you can get by allowing a pre-defined set
of pseudo-tags, rendered into real tags on server side. Like say [b]
for bold, [em] for emphasis etc.

Also see the mentioned in the thread MyShere case at
<http://blog.outer-court.com/archive/2005-10-13-n73.html>

And at <http://namb.la/popular/tech.html> you can read the actual
hacker explanations how did he bypass the defence of the kind you are
thinking about (but thought to be way more "robust").

"VK" <sc**********@yahoo.com> wrote in message
news:11**********************@i40g2000cwc.googlegr oups.com...

No they don't - this primitive defence was bypassed endless amount of
times.

See my post in the thread:
<http://groups.google.com/group/comp.lang.javascript/browse_frm/thread/eb4dd17efe90f7be/9d0548937813dae7>

The only acceptable security you can get by allowing a pre-defined set
of pseudo-tags, rendered into real tags on server side. Like say [b]
for bold, [em] for emphasis etc.

Also see the mentioned in the thread MyShere case at
<http://blog.outer-court.com/archive/2005-10-13-n73.html>

And at <http://namb.la/popular/tech.html> you can read the actual
hacker explanations how did he bypass the defence of the kind you are
thinking about (but thought to be way more "robust").

Thanks for that, quite an interesting read indeed.

Thankfully, (sic), we are not as big as MySpace or MyShere, but it won't
hurt to follow some/all of their procedures.

In the meantime, I will also flag any entries that has more than 5 or 6 "{",
"(", ")" or "}" that might help a little.

Simon
--
http://urlkick.com/
Free URL redirection service. Turns a long URL into a much shorter one.

"Simon" <sp********@example.com> writes:

In the meantime, I will also flag any entries that has more than 5 or 6 "{",
"(", ")" or "}" that might help a little.

I like to make parenthesised comments, so I would be sure to hit that
limit fast :)

A whitelist is still the only way to be sure. If you publish the rules
you check for (as you just did :), it's fairly simple for a proficient
Javascript programmer to avoid it.

Inject this!

<div style='background-image:url(javascript:document.write("</body>"););">Sorry!</div>

<div onmouseover='location.href="http://mysluttysexsite.com/";'>
my entire message that looks plausible
</div>

They have respectively four and zero parentheses.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'

Lasse Reichstein Nielsen wrote:
<snip>

<div onmouseover='location.href="http://mysluttysexsite.com/";'>
my entire message that looks plausible
</div>

They have respectively four and zero parentheses.

Hey, the server was down! :-( :-D

:-|
The OP's question is really out of regulations of c.l.j. That is the
famous "acceptable potential hackers" dilemma. Any system is vulnerable
by default to N amount of experienced hackers (a system vulnerable to 0
hackers cannot exist by thermodynamic laws). More robust the system -
lesser the N number. As hackers as human being cannot be fractional
(0.5 hacker cannot be), the system lims to Super System - Super Hacker
solution. So eventually the equation solves to one absolutely
unbreakable system and the only one person able to hack it. If such
person appears to be a law-obeying member of the socially the equation
will be solved by non-mathematical methods. Otherwise your only
solution is to decide what N% is acceptable for your current situation.
Every 2nd? No more than half? 1% of your visitors? For the last the
proposed measures are good enough.

P.S. Super Hacker theory is taken from the black hackers' bible, which
I never saw of course. Just rumors.

"Lasse Reichstein Nielsen" <lr*@hotpop.com> wrote in message
news:4q**********@hotpop.com...

"Simon" <sp********@example.com> writes:

In the meantime, I will also flag any entries that has more than 5 or 6
"{",
"(", ")" or "}" that might help a little.

I like to make parenthesised comments, so I would be sure to hit that
limit fast :)

A whitelist is still the only way to be sure. If you publish the rules
you check for (as you just did :), it's fairly simple for a proficient
Javascript programmer to avoid it.

Inject this!

<div
style='background-image:url(javascript:document.write("</body>"););">Sorry!</div>

<div onmouseover='location.href="http://mysluttysexsite.com/";'>
my entire message that looks plausible
</div>

They have respectively four and zero parentheses.

I am not saying that my system would be 100% full proof.
But currently I am rejecting any "javascript", (and thanks to VK I am now
rejecting broken Javascripts, (java\nscript).

I am also removing any onWhatever=....

And I am also removing all the "location.replace" and "location.href".

Over and above that I still think that monitoring entries that contain
suspicious chars, ({, (, ), }) will possibly help me in noticing possible
illegal patterns.

Further more I flag a user that "previews" messages with weird code, because
that usually tells me that they are indeed trying to do something strange.

Simon
--
http://urlkick.com/
Free URL redirection service. Turns a long URL into a much shorter one.

"VK" <sc**********@yahoo.com> wrote in message
news:11**********************@g10g2000cwb.googlegr oups.com...

Lasse Reichstein Nielsen wrote:
<snip>

<div onmouseover='location.href="http://mysluttysexsite.com/";'>
my entire message that looks plausible
</div>

They have respectively four and zero parentheses.

Hey, the server was down! :-( :-D

:-|
The OP's question is really out of regulations of c.l.j. That is the
famous "acceptable potential hackers" dilemma. Any system is vulnerable
by default to N amount of experienced hackers (a system vulnerable to 0
hackers cannot exist by thermodynamic laws). More robust the system -
lesser the N number. As hackers as human being cannot be fractional
(0.5 hacker cannot be), the system lims to Super System - Super Hacker
solution. So eventually the equation solves to one absolutely
unbreakable system and the only one person able to hack it. If such
person appears to be a law-obeying member of the socially the equation
will be solved by non-mathematical methods. Otherwise your only
solution is to decide what N% is acceptable for your current situation.
Every 2nd? No more than half? 1% of your visitors? For the last the
proposed measures are good enough.

P.S. Super Hacker theory is taken from the black hackers' bible, which
I never saw of course. Just rumors.

I cannot agree more with you.
My code will not be 100% safe, it never will be safe as far as I can see it.

I also agree that pseudo-tags would be a better option by far.
Unfortunately other blog hosts do not offer such a system and to keep our
users happy, (and to keep making money :)), we have to bend some blatant
rules.
One of those rules is to allow html code.

Simon

--
http://urlkick.com/
Free URL redirection service. Turns a long URL into a much shorter one.