tags:

views:

104

answers:

6
+4  Q: 

Serving JSON and HTML securely to JavaScript

Hi,

I am thinking of secure ways to serve HTML and JSON to JavaScript. Currently I am just outputting the JSON like:

ajax.php?type=article&id=15

{
 "name":    "something",
 "content": "some content"
}

but I do realize this is a security risk -- because the articles are created by users. So, someone could insert script tags (just an example) for the content and link to his article directly in the AJAX API. Thus, I am now wondering what's the best way to prevent such issues. One way would be to encode all non alphanumerical characters from the input, and then decode in JavaScript (and encode again when put in somewhere).

Another option could be to send some headers that force the browser to never render the response of the AJAX API requests (Content-Type and X-Content-Type-Options).

+4  A: 

Instead of worrying about how you could encode the malicious code when you return it, you should probably take care that it does not even get into your database. A quick google search about preventing cross-site scripting and input validation might help you here. Cheers

moxn  2010-07-24 11:40:29
-1 google it? You must be joking this is SO!
Rook  2010-07-24 18:37:54
So, you are suggesting Input Encoding. Well, that's one option, but it has to be very strict -- as the server cannot yet tell where the content will end up.
rFactor  2010-07-24 20:21:44
@The Rook If you read carefully, you will notice that I suggested to encode the user input before storing it on the server (The OP apparently understood this. btw). The google reference was just a helpful pointer in the right direction.
moxn  2010-07-27 07:58:12
@rFactor That's true. There are various things you can do to improve security and usually using only one of them is not enough.
moxn  2010-07-27 07:59:51
@moxn I disagree, data in the db shouldn't be encoded because it makes it more difficult to make comparisons. For something like a comment or a blog post its not going to matter. But what about the date/time or an address? XSS is only a vulnerability when it reaches the client and in most cases its best to use htmlentity encoding before printing it out. In this case, its not necessary if you follow the RFC and you use the content-type header properly.
Rook  2010-07-27 08:07:32
@The Rook Point taken. But I am still convinced, that if I don't allow the inclusion of Javascript in, let's say, the comment section of a blog post, I will encode the content before storing it in the DB. I don't want to store potentially harmful content on my side...
moxn  2010-07-27 10:08:56
@moxn there is a difference between potentially harmful and a vulnerability. Where do you draw the line? Do you also encode percent signs because they might lead to a format string vuln? It matters how the data is used, not where its stored or where it comes from.
Rook  2010-07-27 10:17:46
@The Rook I agree completely. The programmer has to draw this line. IMO there is a difference between script-tags and percent signs. All I offered was an answer for his question from my POV and apparently you and I draw lines at different places :)
moxn  2010-07-27 10:32:59
@moxn I agree as well. I'm glad we can have a civil discussion on this topic. There isn't a single right answer.
Rook  2010-07-27 10:46:46
A: 

I don't think your question is about validating user input, as others pointed out. You don't want to provide your JSON api to other people... right?

If this is the case then there isn't much you can do... in fact, even if you were serving HTML instead of JSON, people would still be doing HTML scraping to get what they wanted from your site (this is how Search Engine spiders work).

A good way to prevent scraping is to allow only a specific amount of downloads from an IP address. This way if someone is requesting http://yoursite.com/somejson.json more than 100 times a day, you probably know it's a scraper, and not someone visiting your page for 100 times in 1 day.

Luca Matteis  2010-07-24 11:51:44
Okay, so the attacker will just use a list of proxy servers to scrape your site. Also input validation isn't always the right answer, and is not required to secure this potential vulnerability.
Rook  2010-07-24 18:42:10
Define 'list of proxy servers'. There aren't many public proxy servers available and it would sure be harder to setup the proxy servers yourself... but yeah there are indeed ways to get around it.
Luca Matteis  2010-07-25 00:34:03
A: 

Insertion of script tags (or SQL) is only a problem if you fail to ensure it isn't at the point that it could be a problem.

A <script> tag in the middle of a comment that somebody submits will not hurt your server and it won't hurt your database. What it would hurt, if you fail to take appropriate measures, would be a page that includes the comment when you subsequently serve it up and it reaches a client browser. In order to prevent that from happening, your code that prepares the page must make sure that user-supplied content is always scrubbed before it is exposed to an unaware interpreter. In this case, that unaware interpreter is a client web browser. In fact, your client web browser really involves two unaware interpreters: the HTML parser & layout engine and the Javascript interpreter.

Another important example of an unaware interpreter is your database server. Note that a <script> tag is (almost certainly) harmless to your database, because "" doesn't mean anything in SQL. It's other sorts of input that cause problems for SQL, like quotes in strings (which are harmless to your HTML pages!).

Stackoverflow would be pretty lame if I couldn't put <script> tags in my answers, as I'm doing now. Same goes for examples of SQL Injection attacks. Recently somebody linked a page from some prominent US bank, where a big <textarea> was footnoted by a warning not to include the characters "<" or ">" in whatever you typed. Predictably, the bank was ridiculed over hundreds of Reddit comments, and rightly so.

Exactly how you "scrub" user-supplied content depends on the unaware interpreter to which you're delivering it. If it's going to be dropped in the middle of HTML markup, then you have to make sure that the "<", ">", and "&" characters are all encoded as HTML entitites. (You might want to do quote characters too, if the content might end up in an HTML element attribute value.) If the content is to be dropped into Javascript, however, you may not need to worry about HTML escaping, but you do need to worry about quotes, and possibly Unicode characters outside the 7-bit range.

Pointy  2010-07-24 12:54:26
+1  A: 

If the user has to be logged in to view the web page then secure the ajax.php with the same authorization mechanism. Then a client that's not logged in cannot access ajax.php directly to retrieve the data.

Kwebble  2010-07-24 14:30:06
+4  A: 

If you set the Content-Type to application/json then NO Browser will execute JavaScript on that page. This is apart of RFC-4627, and Google uses this to protect them selves. Other Application/ Content types follow similar rules.

You still have to worry about DOM Based XSS, however this would be a problem with your JavaScript, not really the content of the json. Another more exotic security concern with Json is information leakage like this vulnerability in gmail.

Make sure to always test your code. There is the Acunetix free xss scanner, and you could test this manually with a simple <script>alert(/xss/)</script>.

Rook  2010-07-24 18:37:21
Perfect answer!
rFactor  2010-07-24 20:30:31
@rFactor Thank you! I'm happy to help.
Rook  2010-07-24 20:31:41
A: 

For outputting safe html from php, I recommend http://htmlpurifier.org/

DGM  2010-07-24 18:47:03
...Or you could kill a fly with a brick.
Rook  2010-07-24 18:54:18

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?