Fórum

  1. Início
  2. Development
  3. XSS ATTACK

XSS ATTACK

Purnima Nair, modificado 6 Anos atrás.

XSS ATTACK

New Member Postagens: 18 Data de Entrada: 07/06/17 Postagens Recentes
Hi

We are using Liferay 6.2 community version. In Liferay's URL, parameters like p_p_id, p_p_lifecycle etc. are getting appended by itself.
Is there any way to prevent XSS attack on these Liferay's parameters?
We have already implemented HtmlUtil.escape(this.getUserName())); for input parameters and in filters.

Thanks in advance.
thumbnail
David H Nebinger, modificado 6 Anos atrás.

RE: XSS ATTACK

Liferay Legend Postagens: 14919 Data de Entrada: 02/09/06 Postagens Recentes
What makes you think these parameters are susceptible to an XSS attack in the first place?









Come meet me at the 2017 LSNA!
Purnima Nair, modificado 6 Anos atrás.

RE: XSS ATTACK

New Member Postagens: 18 Data de Entrada: 07/06/17 Postagens Recentes
These have been reported during the security testing.
thumbnail
David H Nebinger, modificado 6 Anos atrás.

RE: XSS ATTACK

Liferay Legend Postagens: 14919 Data de Entrada: 02/09/06 Postagens Recentes
Tools will often flag false positives.

You have to know enough about the site you're implementing to identify the false positives and explain why they are not really attack vectors.
Purnima Nair, modificado 6 Anos atrás.

RE: XSS ATTACK

New Member Postagens: 18 Data de Entrada: 07/06/17 Postagens Recentes
Thanks for the reply.

using the BURP tool, parameters are modified eg. p_p_id=<script >alert("ABC")</script>
After executing the URL with <script> tag alert message is shown on that page. so we have to prevent these type of attacks.
Is there any way to identify if it is false positive.?
thumbnail
Arun Das, modificado 6 Anos atrás.

RE: XSS ATTACK

Regular Member Postagens: 166 Data de Entrada: 23/07/12 Postagens Recentes
Hi Purnima,
We also encountered this issue a year or 2 back when we did the penetration testing. Do upgrade to latest version (7.0.4 GA5) or at-least to latest version of 6.2.x branch which is 6.2.5 GA6. Then download and install the security patches from here.

HTH
Arun
thumbnail
Samuel Kong, modificado 6 Anos atrás.

RE: XSS ATTACK

Liferay Legend Postagens: 1902 Data de Entrada: 10/03/08 Postagens Recentes
Hi Purnima

Is the problem with a custom portlet that you developed of is the problem with an out of the box portlet?

If the problem is with a custom portlet, we can only help if you make your code accessible to us.

If it's an out of the box portlet:
  • What's the specific version of Liferay Portal are you using?
  • If you haven't updated to GA6, you should do so
  • Have you applied all available community security patches for GA6? If not, you should do so.
  • If that doesn't fix things for you, you may want to try upgrading to Liferay Portal 7.0 CE since Liferay Portal 6.2 CE is no longer supported.
  • If you're still seeing the problem after that, you can report the issues to the security team. Instructions for doing so can be found here. When reporting the issue, please make sure you include the version of Liferay Portal and steps to reproduce the issue.