Forums de discussion

  1. Accueil
  2. Development
  3. XSS ATTACK

XSS ATTACK

Purnima Nair, modifié il y a 6 années.

XSS ATTACK

New Member Publications: 18 Date d'inscription: 07/06/17 Publications récentes
Hi

We are using Liferay 6.2 community version. In Liferay's URL, parameters like p_p_id, p_p_lifecycle etc. are getting appended by itself.
Is there any way to prevent XSS attack on these Liferay's parameters?
We have already implemented HtmlUtil.escape(this.getUserName())); for input parameters and in filters.

Thanks in advance.
thumbnail
David H Nebinger, modifié il y a 6 années.

RE: XSS ATTACK

Liferay Legend Publications: 14919 Date d'inscription: 02/09/06 Publications récentes
What makes you think these parameters are susceptible to an XSS attack in the first place?









Come meet me at the 2017 LSNA!
Purnima Nair, modifié il y a 6 années.

RE: XSS ATTACK

New Member Publications: 18 Date d'inscription: 07/06/17 Publications récentes
These have been reported during the security testing.
thumbnail
David H Nebinger, modifié il y a 6 années.

RE: XSS ATTACK

Liferay Legend Publications: 14919 Date d'inscription: 02/09/06 Publications récentes
Tools will often flag false positives.

You have to know enough about the site you're implementing to identify the false positives and explain why they are not really attack vectors.
Purnima Nair, modifié il y a 6 années.

RE: XSS ATTACK

New Member Publications: 18 Date d'inscription: 07/06/17 Publications récentes
Thanks for the reply.

using the BURP tool, parameters are modified eg. p_p_id=<script >alert("ABC")</script>
After executing the URL with <script> tag alert message is shown on that page. so we have to prevent these type of attacks.
Is there any way to identify if it is false positive.?
thumbnail
Arun Das, modifié il y a 6 années.

RE: XSS ATTACK

Regular Member Publications: 166 Date d'inscription: 23/07/12 Publications récentes
Hi Purnima,
We also encountered this issue a year or 2 back when we did the penetration testing. Do upgrade to latest version (7.0.4 GA5) or at-least to latest version of 6.2.x branch which is 6.2.5 GA6. Then download and install the security patches from here.

HTH
Arun
thumbnail
Samuel Kong, modifié il y a 6 années.

RE: XSS ATTACK

Liferay Legend Publications: 1902 Date d'inscription: 10/03/08 Publications récentes
Hi Purnima

Is the problem with a custom portlet that you developed of is the problem with an out of the box portlet?

If the problem is with a custom portlet, we can only help if you make your code accessible to us.

If it's an out of the box portlet:
  • What's the specific version of Liferay Portal are you using?
  • If you haven't updated to GA6, you should do so
  • Have you applied all available community security patches for GA6? If not, you should do so.
  • If that doesn't fix things for you, you may want to try upgrading to Liferay Portal 7.0 CE since Liferay Portal 6.2 CE is no longer supported.
  • If you're still seeing the problem after that, you can report the issues to the security team. Instructions for doing so can be found here. When reporting the issue, please make sure you include the version of Liferay Portal and steps to reproduce the issue.