1 Reply Latest reply on Nov 30, 2010 1:29 AM by drkstr_1

    How to prevent Cross Site Scripting?

    Ki_Bae

      Hi

       

      I am doing security test for my Flex application by  Burp Suite 1.3.

      There are some XSS (Cross Site Scripting) problems occurred.

      could you guys give me a tip for solving the problems?

       

      version of Flex : 3.4

       

      Sample script from report:

       

      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      Set-Cookie: JSESSIONID=0065595E0446BED2F5BDF6A8AE17230F; Path=/TPontap; Secure
      Set-Cookie: JSESSIONID=2AE35FCB00E9A9B917B74CB62A7E2EED; Path=/TPontap; Secure
      Content-Type: application/x-amf
      Content-Length: 587
      Date: Tue, 30 Nov 2010 04:20:58 GMT

      ......../13/onStatus.......
      .SIflex.messaging.messages.ErrorMessage.rootCause.destination.headers.correlationId.faultS tring.messageId.faultCode.timeToLive.extendedData.faultDetail.clientId.timestamp    body...CommonService
      .....B11B338E-0EFC-96EF-CE5D-9ABBA5FE4A62c768b<script>alert(1)</script>2346548e417..eDetected duplicate HTTP-based FlexSessions, generally due to the remote host disabling session cookies. Session cookies must be enabled to manage the client connection correctly..IE6727E95-3A08-6210
      ...[SNIP]...

       

       

      Log massage :

       

      BlazeDS]FlexSession created with id '0065595E0446BED2F5BDF6A8AE17230F' for an Http-based client connection.
      [BlazeDS]Channel endpoint my-secure-amf received request.
      [BlazeDS]Deserializing AMF/HTTP request
      Version: 3
        (Message #0 targetURI=null, responseURI=/13)
          (Array #0)
            [0] = (Typed Object #1 'flex.messaging.messages.RemotingMessage')
              timestamp = 0.0
              headers = (Object #2)
                DSId = "E5C35526-7D0F-BF89-5F30-D6BC57DAF458"
                DSEndpoint = "my-secure-amf"
              operation = "commandList2"
              body = (Array #3)
                [0] = (Array #4)
                  [0] = (Object #5)
                    __MAPID__ = "U31_01.SIXMONTH_STAT_SELECT"
                    __COMMAND__ = "SELECT"
                    __PROGRAMID__ = "8f6e466ac0effee0bae53e99eec6dd22"
                [1] = "eb744107364e894a"
              source = null
              remotePassword = null
              remoteUsername = null
              parameters = (Externalizable Object #6 'flex.messaging.io.ArrayCollection')
                (Array #7)
                  [0] = (Ref #4)
                  [1] = "eb744107364e894a"
             messageId = "B11B338E-0EFC-96EF-CE5D-9ABBA5FE4A62c768b<script>alert(1)</script>2346548e417"
              timeToLive = 0.0
              clientId = null
              destination = "CommonService"

        • 1. Re: How to prevent Cross Site Scripting?
          drkstr_1 Level 4

          So do I understand correctly that your AMF service is throwing an error when you attempt to modify the session id? If so, then that's a good thing.

           

          XSS is only a problem if you are taking untrusted data, and putting it in a position where it could potentially be executed. If you are not running untrusted 3rd party modules in your Flex application, standard server-side security measures (aka input protection) should be adequate.