Cross-site Scripting and SQL Injection Attacks

To make sure that Iron Speed Designer generated application is not vulnerable to Cross-site scripting and SQL Injection Attacks you may use the following guidelines:

  1. SQL Injection attacks. SQL injection is the act of entering a particularly odd-looking string into a text box or query string in order to have potentially malicious SQL code execute. For example, if you have an ASP page that accepts as a query string parameter an ID field, and this ID field is then used to create a dynamic SQL query, then your application may be subject to an SQL injection attack. Using this as a parameter in a formula exposes the formula to be used maliciously by an attacker. Iron Speed Designer by default quotes all values in the formula editor to prevent SQL injection attacks.

  2. Persistent cross-site scripting (XSS). Persistent XSS occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. To protect your web site from persistent XSS you need to make sure that all values shown in form of labels or literals are HTML encoded. Iron Speed Designer gives a choice of showing text as a rich text (default option) or HTML encoded.  The first option allows displaying formatted and colorful text but it adds a risk of XSS.  The second option eliminates a risk of persistent XSS but in exchange your texts will show HTML tags instead of color or other HTML formatting. You may set this option globally in Application Generation Options or on per control basis. For example, you may globally set HTML encoding to all text controls but enable rich text for a certain label which content is not editable for public user.

  3. Non-persistent XSS. These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user, without properly sanitizing the request. To prevent passing non-authorized URL parameters always set Encrypt URL parameters option to ‘Yes’ in Application Generation Options wizard.

Another way to pass script to the page is to use hidden __Lastfocus variable. Iron Speed Designer generated application uses sophisticated script to ensure that focus stays on the last focused element regardless of presence of images or rich text editor. This script however uses __Lastfocus field to find last focused control. Although this type of vulnerability does not present any serious threat (*)  in certain cases you may want to eliminate it anyway. You may do that by commenting out content of LoadFocusScripts and SetFocusOnLoad  methods in the Shared\BaseApplicationPage. In this case application will use standard .NET set focus functionality.

(*)  to experience __Lastfocus XSS victim have to first open the page, than deliberately visit malicious site which sets __Lastfocus value than hit back button to an original page and cause postback.


See Also

The Formula Language

Data Validation with Formulas

Dropdown Filtering with Formulas

Common Formula Examples

Cross-site Scripting and SQL Injection Attacks

Formula Run-Time Performance