Add example of XSS vulnerability #24

dschwarz91 · 2022-10-19T19:27:58Z

hey karl,
just added an xss example.
For now, i just put the payload in an additional row in the blog_posts table.
Should we put that in an own table or should we add an additional column to the blog_posts table to somehow mark this entry? What do you prefer?

karlhorky · 2022-10-20T09:09:28Z

@dschwarz91 cool, this is a great idea! What do you think about also including:

A demo of XSS in a React HTML prop? (explanation, CodeSandbox, official docs showing deprecation)
Solution 3: An additional database row using Markdown instead of HTML?
Does it make sense to show / mention TrustedHTML already? Or too new still?

dschwarz91 · 2022-10-20T13:32:51Z

@karlhorky: thx for the feedback!

1. A demo of XSS in a React HTML prop?

I've already had an additional example with the deprecated javascrip: URLs, but since there are no really nice fixes for it (at least I dont know about any - besides "stealing" the filter-regex from angular ^^), I decided to just include it in the slides, but not in the example repo.

Wasn't aware of the way via "props: " tho - will have a look at that.

2. Solution 3: An additional database row using Markdown instead of HTML?

good Idea, will add that =)

3. Does it make sense to show / mention [TrustedHTML] already? Or too new still?

It absolutely makes sense and I actually already tried to include it in the examples but failed ^^
I wanted to enable it only on a specific sub-page (solution3) via (the next.js feature)

and it kinda worked (because I could see some trusted types errors in the console), but somehow react seemed to render the page (and also the payload) once before it activated trusted types.
So it seemed as it would be necessary to enable it for the whole application.
And then I decided to just mention it in the slides. (still no skilled react dev ^^)
But if you have any idea how to just enable it on a single react page, I'm happy to try again =)

karlhorky · 2022-10-20T15:28:57Z

A demo of XSS in a React HTML prop?

I've already had an additional example with the deprecated javascrip: URLs, but since there are no really nice fixes for it (at least I dont know about any - besides "stealing" the filter-regex from angular ^^), I decided to just include it in the slides, but not in the example repo.

Maybe some kind of form that submits content to the database which also includes a new url field in the database?

But yeah, totally understand if this is outside the scope of this PR - if you think it's too big for now, maybe you can open a new issue for it, with a clear documentation of what needs to be done with this? You may also want to link it to this issue:

Add all CRUD methods #5

Solution 3: An additional database row using Markdown instead of HTML?

good Idea, will add that =)

Ok I'll wait on this before reviewing again then.

Does it make sense to show / mention [TrustedHTML] already? Or too new still?

It absolutely makes sense and I actually already tried to include it in the examples but failed
...
And then I decided to just mention it in the slides.

Fine with me, no problem there! Maybe you can open an issue for this too?

dschwarz91 · 2022-10-23T13:38:08Z

ok, added the markdown example and created an issue for an URL example (#28) and a Trusted Types example (#27)

util/cookies.ts

pages/example-6-xss/vulnerable.tsx

pages/_app.tsx

package.json

pages/example-6-xss/common.tsx

pages/example-6-xss/solution-1.tsx

database/blogPosts.ts

migrations/003-create-table-blog-posts.ts

pages/example-6-xss/solution-1.tsx

pages/example-6-xss/vulnerable.tsx

database/blogPosts.ts

…ecurity into xss

not ready yet

pages/example-6-xss/solution-2.tsx

…ecurity into xss

karlhorky · 2022-10-26T13:12:36Z

Thanks for this 🙌 I addressed the points above - now merging!

added an XSS example

8609ea8

Added XSS solution example with markdown

7e99792

karlhorky mentioned this pull request Oct 24, 2022

Add Solution 3 using TrustedHTML to XSS Example #27

Open