-
Notifications
You must be signed in to change notification settings - Fork 453
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored Cross Site Scripting (XSS) #473
Comments
You have not used the issue template we provide, so you have not provided some key information, such as the version of Node-RED this is being reported against. From the screenshot, I can see you are not using the current 0.19.x release. You will find this particular issue was fixed in 0.19 and a review done of anywhere that user input is handled to ensure it is sanitised before being displayed. I am not aware of any remaining such issue; but if you find one, please consider a more responsible disclosure method than raising on a public issue list. You can email team@nodered.org, or contact any of the core team directly. |
I am getting this issue in 0.19.5 release as well |
@royaldevbrat and what version of Node-RED Dashboard? Assuming you can reproduce this when editing a dashboard group node. If you can recreate this with any other non-dashboard node, please provide details. |
I have identified the issue in the node-red-dashboard module. This is not a core node-red issue. I will move this issue over to the appropriate repository. |
But I am not using node-red-dashboard. |
Can you share precise steps to reproduce then? What node are you editing to insert the script? |
@royaldevbrat in my original reply to you I asked if you could recreate this with any non-dashboard node, and to provide details if that is the case. Right now, the only issue we are aware of is specific to the node-red dashboard sidebar. Please can you confirm exactly what you are doing to reproduce this. |
I have pushed a commit to replace as many .html( tags as possible with .text( . This should clean up the examples so far given. Please let us know of any more you can find. Thanks to try it install the master version in your node-red user directory
|
I am using Twitter Node(some other node also has this issue)and adding some script in edit the node Then after deploy, I am getting that alert Please check once whether it is Node-RED or Pallete issue. Let me how to mitigate this. Thanks in advance |
@royaldevbrat thanks for that - your description has helped to identify the extra step you were taking to hit this compared to the original report. Specifically, it was the warning dialog when trying deploy a misconfigured node. Have pushed a fix to node-red - will be in 0.20. |
I am also developing some nodes for my company. So can you please tell me
how to fix this issue?
…On Thu, Feb 7, 2019 at 2:42 PM knolleary ***@***.***> wrote:
@royaldevbrat <https://github.com/royaldevbrat> thanks for that - your
description has helped to identify the extra step you were taking to hit
this compared to the original report. Specifically, it was the warning
dialog when trying deploy a misconfigured node. Have pushed a fix to
node-red - will be in 0.20.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#473 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADgcT8XwLy-Ul-SZrqZiQ3UVyv56ddQOks5vK-3_gaJpZM4alA1P>
.
|
@royaldevbrat the fix was in the core of Node-RED. There's nothing to change in your node for this. The main thing to do is never display any node property without sanitising any html content. |
You can see the specific fix we applied for the instance you reported here: node-red/node-red@724acff |
Thanks
…On Thu, Feb 7, 2019 at 6:15 PM knolleary ***@***.***> wrote:
@royaldevbrat <https://github.com/royaldevbrat> the fix was in the core
of Node-RED. There's nothing to change in your node for this.
The main thing to do is never display any node property without sanitising
any html content.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#473 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADgcT_KNrKqeChP_bt6HeRsUMK96IQ9sks5vLB_7gaJpZM4alA1P>
.
|
so are we good to close this now - or ... ? |
closing as I believe this is now fixed as per issue above. No further feedback. |
This XSS issue in nodes has been fixed. But XSS can still occur in other places on dashboard. Actually at any place where user input is accepted by application and is not sanitized. I would recommend to try using x-xss-protection HTTP response header in every response which would enable XSS filters built-in browsers. It may solve all the XSS possibilities. At same time, sanitizing all user inputs would be the best practice. |
Hopefully this fix in the core will mop up most of those - 1d7be6457ffa42247d9a02c8a5b630e4e33acf31 |
We observed that the web application is vulnerable to cross-site scripting (XSS) attack due to inappropriate filtering of input variables. Application is accepting special characters as user input. Browsers are capable of displaying HTML page and executing javaScript. If the application does not escape special characters in the input/output and reflects user input as is back to the browser, an adversary may be able to launch a Cross-Site Scripting attack successfully. It was also observed the vulnerability in the parameters mentioned. However, the vulnerability might be available in the entire application, and all other parameters, functions and pages needs to be checked for the same.
Stored XSS:
Step 1: Browse the URL and insert the Javascript payload as shown in the image below.
Step 2: The above image confirms that the application is vulnerable to Stored XSS.
The text was updated successfully, but these errors were encountered: