Questions regarding knockout and XSS
464 views
Skip to first unread message
frontend_dev
Jul 18, 2015, 1:12:59 PM7/18/15
to knock...@googlegroups.com
Hello,
I am in the process of developing a single page app which uses knockout for data binding.
An important aspect is of course being able to completely shield the app against all kinds of XSS attacks. Of course the server also filters user input, but I want the app to be secure even with no server filtering at all, so that we can have "double safety".
I have analysed my app and the only bindings where user input is directly reflected are the "text" and "value" bindings (for input fields), as well as virtual text elements, i.e. <!--ko text: userText --><!--/ko--> I also use other bindings such as "css", "attr" and some event bindings, but these cannot be controlled directly by the end user.
Well, actually there is one exception where I have to use the "html" binding, containing a single variable that can be influenced by the user. There I was able to trigger a XSS attack using this string: <img src=http://www.someserver.com/bla.gif onerror=alert('XSS')>. To close that hole I run the javascript equivalent of "htmlspecialchars" with that variable and that seems to solve the problem.
Now I have the following questions:
I am in the process of developing a single page app which uses knockout for data binding.
An important aspect is of course being able to completely shield the app against all kinds of XSS attacks. Of course the server also filters user input, but I want the app to be secure even with no server filtering at all, so that we can have "double safety".
I have analysed my app and the only bindings where user input is directly reflected are the "text" and "value" bindings (for input fields), as well as virtual text elements, i.e. <!--ko text: userText --><!--/ko--> I also use other bindings such as "css", "attr" and some event bindings, but these cannot be controlled directly by the end user.
Well, actually there is one exception where I have to use the "html" binding, containing a single variable that can be influenced by the user. There I was able to trigger a XSS attack using this string: <img src=http://www.someserver.com/bla.gif onerror=alert('XSS')>. To close that hole I run the javascript equivalent of "htmlspecialchars" with that variable and that seems to solve the problem.
Now I have the following questions:
- Is it possible to still trigger a XSS attack only with the "text" and "value" bindings? As I see it this absolutely shouldn't be possible, correct?
- Is filtering user input by a "htmlspecialchars" like function enough to prevent XSS attacks using the "html" binding?
- I also saw that there is a so called "secure binding" plugin. (https://github.com/brianmhunt/knockout-secure-binding) But is that necessary at all in my case? Is there any case where such a binding would give me any additional security? I simply cannot see any such case right now I have to admit.
I really would appreciate any insights to these questions, thanks a lot!
Gunnar Liljas
Jul 18, 2015, 6:23:56 PM7/18/15
to knock...@googlegroups.com
1. Correct!
2. Well, that depends on the "htmlspecialchars" function. If you replace all "<",">","&" etc. then it should be safe.
3. CSP is great, and at the very least you should start thinking about implementing it, e.g by eliminating inline scripts.
--
You received this message because you are subscribed to the Google Groups "KnockoutJS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to knockoutjs+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
frontend_dev
Jul 20, 2015, 10:55:26 AM7/20/15
to knock...@googlegroups.com
Hi Gunnar, thanks for your answer!
So I think your "correct" was related to the impossibility to trigger an attack using the mentioned bindings?
The htmlspecialchars function I am using is basically an identical implementation to the PHP native one (see http://phpjs.org/functions/htmlspecialchars/) - so it should be secure, right?
And regarding to secure bindings, I still fail to see what would be the benefit? As I use a single page app, the templates are "static", ie cannot be modified by a backend script, for example by replacing something there with user generated content.
So therefore my app should be 100% XSS safe, right? So why should I still use these secure bindings? And yes I have some logic in my templates, (sometnhing like this: <!--ko if: vmData.pages().length > 0 -->) but I again fail to see how these could trigger XSS in any way.
So I think your "correct" was related to the impossibility to trigger an attack using the mentioned bindings?
The htmlspecialchars function I am using is basically an identical implementation to the PHP native one (see http://phpjs.org/functions/htmlspecialchars/) - so it should be secure, right?
And regarding to secure bindings, I still fail to see what would be the benefit? As I use a single page app, the templates are "static", ie cannot be modified by a backend script, for example by replacing something there with user generated content.
So therefore my app should be 100% XSS safe, right? So why should I still use these secure bindings? And yes I have some logic in my templates, (sometnhing like this: <!--ko if: vmData.pages().length > 0 -->) but I again fail to see how these could trigger XSS in any way.
Reply all
Reply to author
Forward
0 new messages