www.webdeveloper.com
Results 1 to 4 of 4

Thread: Validating malicious javascript

  1. #1
    Join Date
    Nov 2006
    Posts
    2

    Red face Validating malicious javascript

    Hi All,

    I have a need to create a web application which allows the user to design a web page using a web based wysiwyg editor. I also need to allow the user as much freedom as possible to design just what they require. The nearest example of this are the 'Sell' pages on EBay where you can enter a description of your item along with javascript, applets and of course HTML.

    If you type <script...>alert("Hello")</script> tag in the EBay description and click the "Save and Continue" button, your html will be rendered and displayed, and the "Hello" alert will appear. If you type location.href=("<url>"), it will attempt to go to that page, but EBay will somehow block the request after a few clicking sounds.

    My plan is to allow the user to enter anything they want, but on submission of the page I want to search for any potentially malicious Javascript commands and if they are found, then I will not allow the HTML to be saved. Javascript isn't my area of expertize (I am a DBA really), so I need to know what javascript keywords I should look for (location.href and alert are two I know of) to mitigate against the possibility of being hacked (cross-site scripting, for example) or the page misused.

    In addition to the keywords I require, any other comments \ opinions would be very welcome.

    Kind regards,

    Martin

  2. #2
    Join Date
    Jun 2003
    Location
    here
    Posts
    4,551
    hmn...

    I would advise against trying to write such a thing, as of course the main problems being either infinite loops(while(true){alert("ha-ha, you can't escape me");};) or such(things that are actually hard to pick up on).

    and to add insult to injury even if you wrote such a script to pick up on it I could simply encrypt it and decrypt it at a time of my choice.

    it might be better if you made a list of things you want the user to be able to do and you restrict the javascript to that and that alone.

  3. #3
    Join Date
    May 2003
    Location
    Between Baltimore and DC
    Posts
    3,579
    All of the checking should be done on the server. I do not have to use your form to submit it to the server.

    Look at my talk here (it is a zip): http://www.pascarello.com/presentation/owasp/

    Eric

  4. #4
    Join Date
    Nov 2006
    Posts
    2
    Thank you both for your comments.

    Alien, the checking will indeed be done on the server.

    I understand that it is inadvisable to put a system like this into production; I also would recommend against it under most circumstances. However, this interface is central to the application, and I can't let the possibility of users hacking \ misusing the page stop the project - I just have to take every possible step to reduce the chances of it happening. The user would have had to provide a valid email address, and part with some money in order to get to this page, so the chances of them misusing the page are already reduced.

    If I have to check each and every submission that contains a <script> tag after it has been submitted, then that's what I will do. However, the fact remains that I would like to trap the most common potentially malicious keywords and prevent submission if the html contains them (or email me to prompt me to check the submission).

    the 'while' keyword is a useful one for the list, Scragar, and I would be grateful for any others you can come up with.

    Regards,

    Martin

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles