5

I am working on a project involving an input form where customers enter their name and email to start a conversation with support. The form works well, but I've noticed some issues with the 'Name' input field. Specifically, I can use developer tools to modify the number of characters allowed in this field and insert JavaScript code, such as element.value="<script>alert('test');</script>".

When I enter this code as the username and an email address, I can start a chat with the name element.value="<script>alert('test');</script>", and everything functions correctly—I can send and receive messages without any issues. However, when I check the database, I see that the user's name is stored exactly as entered, including the JavaScript code.

My concerns are as follows:

Database Vulnerability: Is it a potential vulnerability that JavaScript code can be injected into the MySQL database through the name field? Could this be exploited to inject a large amount of JavaScript code into the database?

Execution of JavaScript Code: When generating statistical reports (since this is a call center server), the JavaScript code in the customer name gets executed, causing an alert window to appear on my screen. Can querying the database trigger the execution of this code? Does this indicate a vulnerability?

Any help or guidance on addressing these issues would be greatly appreciated.

Improve this question
6
  • Welcome to the community. If I understand correctly the first question is simply manipulation within the frontend, which is normal (please correct me if I'm wrong) Commented Aug 6, 2024 at 9:39
  • 2
    while frontend validations are nice to have, they do not replace the need for backend validations. (So for number of characters, make backend validate that as well and respond back when it fails... same goes for any disallowed characters.) Commented Aug 6, 2024 at 20:03
  • Welcome! I edited your question adding a few backticks to make the actual code visible (as Stack Exchange is doing some filtering to avoid these kinds of vulnerabilities). Feel free to edit again. Commented Aug 6, 2024 at 23:35
  • @Sir Muffington Thank you, it's great to be here. You are correct; the issue is indeed related to frontend manipulation. My concern is that users can insert very long strings, payloads, or other potentially harmful input into the input field, which will be stored in the database. Commented Aug 7, 2024 at 6:54
  • @browsermator Thank you for the advice. I'll be doing some research on how to properly implement these validations. Commented Aug 7, 2024 at 6:58

2 Answers 2

Reset to default
17

an alert window to appear on my screen ... Does this indicate a vulnerability?

Yes. The tool that creates the reports should display the name as-is without executing JavaScript. Executing the JavaScript makes it possible for an attacker to run malicious JavaScript in the context of the application, and basically perform any action the current user can do. This vulnerability is called cross-site scripting or XSS, which is a confusing name for being able to execute JavaScript where you shouldn't.

Is it a potential vulnerability that JavaScript code can be injected into the MySQL database through the name field?

No. Storing or retrieving JavaScript in a database does not execute it. It's just textual data for the database. Storing any kind of data, including JavaScript or HTML, in a database is not a vulnerability.

The correct way to solve XSS is to do output encoding, preferably automated using a template engine. Additionally, some people do input validation to restrict what data can be entered. For example, you can argue that an equals sign = should never occur in a person's name, and that you should block names that contain it. This does provide additional defense, but does not solve the underlying problem, and can cause problems for people with unusual names. Allowing all valid input while disallowing any invalid input is often hard to accomplish.

Improve this answer
16
  • thanks for getting back to me—I really appreciate it! I have some basic knowledge of XSS and tried inserting my script to see if it would execute when generating the stats report. Commented Aug 6, 2024 at 8:56
  • 4
    Another (minor, compared to the XSS in the report generator) vulnerability is that apparently the username is supposed to have a character limit, but this is not enforced by the backend server, there only is an input attribute in the frontend. Commented Aug 6, 2024 at 18:42
  • 3
    The important thing to remember is that while they may look the same in most cases, text, HTML, and Javascript strings (and SQL strings, and many more) are not the same thing. Text needs to be encoded before it is used in HTML or Javascript or JSON or SQL. Always. All the time. Each and every time. No exceptions. Commented Aug 6, 2024 at 21:59
  • 2
    @ColbyCotton: I think jcaron refers to output encoding as explained in the answer - whenever a software generates HTML (or SQL etc.), any data included in the HTML must be encoded before inclusion - e.g. replacing special characters with HTML escapes. Commented Aug 7, 2024 at 7:40
  • 1
    @ColbyCotton: Look, you are not getting the point! Absolutely NO software or webpage should ever put a user name into a context where it can be executed. This has nothing to do with CSP!!! Anyone who knows basic HTML (not to say JS) knows that you must escape any string before you can put it into a webpage. Not to say that an inline script can do anything that an external script can, so your last sentence is entirely false. Commented Aug 8, 2024 at 14:27
-1

In addition to @sjoerd's great answer and inspired by it, I propose to always use the concept of privilege dropping:

Within this concept, the main application's task is to start subprocesses for every occuring task with only the privileges which the current task really needs.

In this way, a security bug within a subprocess is often not as bad as within a monolithic application, if the subprocess has lower privileges -- in this way the attacker which got control over a subprocess may e. g. not be allowed to change the database, if the subtask is only allowed to read the database.

Improve this answer
1
  • 3
    welcome - this is sound advice in response to an entirely different question :) Commented Aug 8, 2024 at 17:51

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.