Skip to main content


 

Symptoms


We're facing the issue of exposing ourselves to XSS ( cross site scripting ) attacks , how can we deal with these kind of issues in samrtform , please check my screenshot
 

Diagnoses


browsers these days have built in XSS protection. also Most of k2 Controls have their Literal Properties permanently disabled
 

Resolution

Resolution:
"
Most commercial browsers already have built in XSS protection and assuming that you are not launching the attack from a browser on the K2 or SQL Server itself no AJAX queries will be able to create a connection to the SQL or K2 Server to give someone access to these services

From K2 end K2 can state the following

By default the majority of Controls available to you OOTB have their Literal Properties permanently disabled . Any text entered into a Text field , be it JS or HTML or just Plain Text and submitted to the DB via a SmartObject , will be saved as Text (or whatever DataType you have decided on) . When that information is retrieved and displayed on a SmartForm at a later stage , unless it's explicitly assigned to a String Literal enabled control , it will simply display the Text that was entered . The ticket system we are working on right now is a SmartForm , because this is not a Literal Control , I can drop a script in here that should save my Client Cookie , for example :

<script language="javascript" type="text/javascript">alert(document.cookie)</script>

Because this is not a Literal Enabled control , the above is simply saved as Text .

There are exceptions to this . The Label and DataLabel control has the Literal Property exposed (disabled by default) . The Rich Text Control has a HTML Property . Streaming JS or HTML to these Controls whilst they are Literal Enabled , will execute those injections .

Because you are aware of which Controls will execute injections and you have the ability to enabled/disable his at Design Level , potential XSS attacks should be avoidable by simply ensuring that your Form design never streams User Input to a Literal Enabled Label or DataLabel control
"




 
Be the first to reply!

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings