We recently received an interesting correspondence:
I have a requirement to allow rich text editors for content that will be printed to other pages. I'm looking for something like OWASP AntiSamy or HTML Purifier that could be used in the PL/SQL to sanitize the input and thought maybe you would know where to look.
Thanks,
Greg
Using a known library like Antisamy is generally a good idea for several reasons;
- Don't re-invent the wheel badly.
- OWASP probably know a bit more about cross-site scripting than us.
- Issues can be fixed centrally so everybody benefits.
So we decided to gather the relevant java libraries together and put together an Oracle package to leverage this excellent resource for Apex developers who want to display dynamic HTML marked-up content but significantly reduce the risk of cross-site scripting attacks.
First we created a very simple Apex application to test the vulnerability
This consists of two regions; one which contains the Apex rich-text editor and the other a PL/SQL region to output the results.
 |
| Click for larger version |
As can be seen this works well, the user has turned the text green and this is correctly displayed in the Output region.
If we analyse the application with our ApexSec security analyser, we can see that there is a problem;
 |
| Click for larger version |
ApexSec has identified both the cross-site scripting vulnerability and the item causing it, in this case the :P1_INPUT item.
We can quickly test the vulnerability by using the source button on the rich text editor.
 |
| Click for larger version |
The source button allows us to type the HTML in as raw data, we raise a simple alert box this time (for more interesting exploits read our other blogs). Clicking the submit button leads to the predictable alert box;
 |
| Click for larger version |
What is needed is a way to safely keep the tags that define the style but filter out the malicious tags that may lead to a cross-site scripting attack.
Installing the library
We install the Java library and wrapper into our schema in the 'developer days' Image (OBE);
We install the PL/SQL call specifications for the installed Java library;
$ sqlplus obe/obe @recx_antisamy.sql
Procedure created.
Calling the new library in the PL/SQL region is as simple as calling recx_antisamy_scan(stringToSanitise) function. When we re-scan the project using ApexSec we can see that there in no longer a cross-site scripting issue detected.
 |
| Click for larger version |
We run a simple test again adding a script tag, this time the tag has been filtered by the antisamy library, but we have kept the formatting.
 |
| Click for larger version |
Recx perform security audits of Apex code, as well as advising about secure Apex coding techniques. Contact us for information on how we can help you secure your Apex estate.
Our ApexSec security console is the only tool to do deep analysis on Apex code, highlighting cross-site scripting, SQL Injection, configuration and insecure coding constructs.
Downloads
Example Apex Application
Antisamy Java Library
PL/SQL Call Specifications
Our ApexSec security console is the only tool to do deep analysis on Apex code, highlighting cross-site scripting, SQL Injection, configuration and insecure coding constructs.
Downloads
Example Apex Application
Antisamy Java Library
PL/SQL Call Specifications
Thanks to Greg, for throwing down the gauntlet. For a copy of the eclipse project feel free to email us.
Disclaimer: THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
No comments:
Post a Comment