You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by "hvekeria@caci.co.uk" <hv...@caci.co.uk> on 2021/03/04 16:43:10 UTC

DOM based XXS protections

Hello,

Might be a slightly obscure topic but i've not been able to figure out
whether Apache Guacamole has any built in features or protections to prevent
DOM based XSS attacks.

We've had a security questionnaire come through which includes this as a
topic, i've included an OWASP link below. Are you able to provide any info
on whether there's something in place for this?

"Some XSS vulnerabilities work exclusively on the client side, in an
application's scripting code. This kind of XSS is commonly referred to as
DOM-based XSS. Because server-side escaping of user input does not protect
against DOM-based XSS, you need a strategy for dealing with client-side
scripting code that handles user input, as well as parts of the DOM that may
contain user input (such as document.location)"

https://owasp.org/www-community/attacks/DOM_Based_XSS 

Thanks

Himat



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: DOM based XXS protections

Posted by Mike Jumper <mi...@glyptodon.com>.

On Thu, Mar 4, 2021 at 8:43 AM hvekeria@caci.co.uk <hv...@caci.co.uk>
wrote:

> Hello,
>
> Might be a slightly obscure topic but i've not been able to figure out
> whether Apache Guacamole has any built in features or protections to
> prevent
> DOM based XSS attacks.
>
> We've had a security questionnaire come through which includes this as a
> topic, i've included an OWASP link below. Are you able to provide any info
> on whether there's something in place for this?
>
> "Some XSS vulnerabilities work exclusively on the client side, in an
> application's scripting code. This kind of XSS is commonly referred to as
> DOM-based XSS. Because server-side escaping of user input does not protect
> against DOM-based XSS, you need a strategy for dealing with client-side
> scripting code that handles user input, as well as parts of the DOM that
> may
> contain user input (such as document.location)"
>
> https://owasp.org/www-community/attacks/DOM_Based_XSS


In Guacamole's case, all escaping is client-side:

   - There are no server-generated dynamic documents outside the static
   contents of the webapp and additional static contents provided by
   extensions.
   - Dynamic data comes to the client side only in the form of JSON
   responses to REST API requests, none of which are expected to be
   pre-escaped.
   - Neither data retrieved from the server (REST API) nor data obtained
   purely client-side (things like search filters) are ever simply
   concatenated into a document. Such data is only included using AngularJS'
   data binding, which is automatically escaped.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://enterprise.glyptodon.com/>.