Special characters - code injection

Special characters - code injection === ###### tags: `Special characters - code injection` ## Task: 'Take care of special characters. We do not want your evil chat counterparty to inject JavaScript code into your html page...' -> JavaScript injection -> HTML injection -> Cross Site Scripting (XSS) attacks Cross-site scripting (XSS) is a vulnerability. When exploited, a malicious user injects their JavaScript to run in your browser in a malicious way and usually without your knowledge. Prevent this using encoding: context dependent, use right type of encoding for different contexts - encoded data (output/user input): < and > become \< and \> - encode before saving/sending to database - avoid dynamic code execution (e.g. eval(), exec()) - JavaScript Dependency Injection Most important solutions in our eyes: - Whitelisting user input: user can't explicitly type certain characters, this prevents code injection - Encoding output: context specific encoding to make sure text is displayed and not e.g. user-specified HTML elements Extra idea: key suppression -> prevents user from typing certain characters, should solve the problem almost completely Sources: https://snyk.io/blog/5-ways-to-prevent-code-injection-in-javascript-and-node-js/ https://github.blog/2022-02-16-encoding-escaping-untrusted-data-prevent-injection-attacks/ https://crashtest-security.com/code-injection/ https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html https://cheatsheetseries.owasp.org/cheatsheets/AJAX_Security_Cheat_Sheet.html#Server_Side Example of how HTML injection works in an e-mail: https://www.twilio.com/blog/prevent-email-html-injection-in-csharp-and-dotnet eslint security checker: https://www.npmjs.com/package/eslint-plugin-security-node has been installed, will show warnings for several security concerns HTML encoding: https://www.delftstack.com/howto/javascript/htmlencode-javascript/?utm_content=cmp-true DOMPurify: purify dirty HTML into clean HTML https://github.com/cure53/DOMPurify JSON injection: https://www.comparitech.com/net-admin/json-injection-guide/ https://www.invicti.com/learn/json-injection/ for username: prevent the use of special characters entirely immediately hash password so that special characters can be used but won't be saved that way in a JSON file server-side We could use percent-encoding to encode a lot of special characters, spaces and any non-utf8 character such as emoji's. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page