IntraWeb Archive

Avoiding XSS (Cross Site Scripting) Vulnerability

Avoiding XSS (Cross Site Scripting) Vulnerability

IntraWeb 14.0.27 includes new feature to avoid Cross Site Scripting (XSS) vulnerability

There is a new event in TIWServerController named OnParseParameter:

When starting a new session, all run parameters are now pre-processed and some vulnerable tags (like <SCRIPT>, <OBJECT>, <EMBD>, etc.) are blocked by default. This event will trigger once for each parameter received.

Besides that, IntraWeb will also trigger an OnParseParameter event for each run parameter received in the request.

OnParseParameter event parameters:

  • AParam (string): contains the parameter received during session start. Note that this parameter is passed as reference, so users can change the received parameter.
  • AllowIt (boolean): Indicates if the pre-processor will block this parameter or not. Like AParam, users can force IntraWeb to allow it or not, changing the value of AllowIt.
  • Index (Integer): If AllowIt is false, Index contains the offending tag or expression position within AParam string. Users can check this and decide if they want to drop it or not.

You don’t need to add custom logic to OnParseParameter in most cases. If OnParseParameter is not assigned, IntraWeb will use its own logic to decide if it will accept the parameter or not.

Example of a OnParseParameter event:

procedure TIWServerController.IWServerControllerBaseParseParameter(
var AParam: string; var AllowIt: Boolean; const Index: Integer);
begin
if AllowIt then begin
if ContainsText(AParam, ‘<SomeBlockedTag>’) then begin // check if we received some forbidden tag
AllowIt := False; // if true, drop it!
end;
end;
end;

List of blocked tags:

  <script>
  <embed>
  <applet>
  <frameset>
  <form>
  <iframe>
  <meta>
  <layer>
  <object>
  <img>
  <link>
  <div>

Other expressions blocked:

javascript:
src=
href=
eval()
expression()
vbscript:
url=
url()

If your application receives one of these tags/expressions as a runtime parameter, you should add custom code to OnParseParameter event and instruct IntraWeb to accept the parameter.