+ 33

XSS Exploit on SL ⚡ Chat × COTD 😈

Hello, this is the author of Code of the Day on 10 December 2017. 👋 First and foremost I would like to thank SoloLearn for featuring my code and providing me the exposure to understand the challenge of creating a real-time application. I apologize if some of you are unhappy with the exploit and the complaint of almost nil client-side code. I'm not in the position to judge but I hope it open your eyes on what can be achieved via ASP.NET SignalR, which is my intention. I don't blame the hacker as it's my fault for failing to perform a thorough checking before releasing it as it's still in early beta stage. (v.0.9.9) I always believe that this platform allows everyone here to learn and so here are some of the key takeaways that might benefit to you:- ✔️ ASP.NET SignalR is the official real-time solution provided by Microsoft which support the de-facto WebSocket and Long Polling + Forever Frame as the fallback. ✔️ Make sure to sanitize user input on both client & server side to prevent malicious user to run arbitrary JS code at your site. ✔️ Rate limiting and word filtering are encouraged for chat application to prevent spam. We disseminate knowledge at SoloLearn but not taking advantage of others or spreading hate. Thank you for the lesson and your interest and I'm glad if it inspire you to try something new in future. Cheers! https://code.sololearn.com/Wb819DHXTLW6/?ref=app

11th Dec 2017, 1:25 PM
Zephyr Koo
Zephyr Koo - avatar
12 Answers
+ 14
@Ipang Thank you! It's my bad as I overlooked an input which allows arbitrary code injection to the page although I do sanitize at other place. Well-learnt lesson! 🙇
11th Dec 2017, 7:30 AM
Zephyr Koo
Zephyr Koo - avatar
+ 11
@Zephyr There is no need to apologize for the great code you have shown to us. The main purpose we are here in SL is to learn new techniques and improve ourselves. As programmers, we should understand that It's programmers common work route, we write code, run it, check for errors, debug and fix any errors, before we get a better program.
10th Dec 2017, 5:48 PM
Calviղ
Calviղ - avatar
+ 10
hey dude why apologizing . since we are members of same community we informed you about it so that you can make changes before releasing it officially.😊😊😊
10th Dec 2017, 6:05 PM
S O U ✌️ I K
S O U ✌️ I K - avatar
+ 10
Thank you very much for your support @Calvin & @souvik! Luckily there's no harm or loss and I'll be more cautious next time! 😄
10th Dec 2017, 10:32 PM
Zephyr Koo
Zephyr Koo - avatar
+ 9
@Zephyr Honestly I haven't even seen or test it yet, had been in and out of network connectivity, but I personally believe that there's no such thing as perfect, yet, it's perfectly normal, as we're all humans, and if there's anyone judging you for a minor mistake, they need to clarify whether they ever did one. In short, no apology necessary... : )
11th Dec 2017, 4:25 AM
Ipang
+ 9
@Zephyr We all have been there, and done that, it's okay, it's not yet in production stage too right? not a big problem. Just to answer my curiosity, which part of your work was it, that was "vulnerable", I'm interested to know, if you don't mind ; ) Keep learning and sharing your knowledge, you did well : )
11th Dec 2017, 8:57 AM
Ipang
+ 9
@Ipang Sure! The application actually just accept 2 inputs, namely nickname and message which defined by the user. Arbitrary HTML/JS/CSS code can be injected freely into the page if it doesn't get sanitized/encoded safely before rendering at client's browser. That means if we accept <marquee>Evil</marquee> as the nickname without any processing, the HTML code will be injected into the page and populated to every connected clients! I'm aware of the vulnerability before this and perform checking on user's message but overlooked the nickname and hence the chaos. 😲
11th Dec 2017, 12:15 PM
Zephyr Koo
Zephyr Koo - avatar
+ 9
@swim Glad you're interested to check out the code too! Common web programmers habit. 😂 I'm agree with you and luckily no serious damage was done. Let's hope if this will motivate SoloLearn devs to implement a full-fledged chat system for everyone of us in near future! 😉
11th Dec 2017, 12:20 PM
Zephyr Koo
Zephyr Koo - avatar
+ 7
Ok
10th Dec 2017, 4:40 PM
LunarCoffee
LunarCoffee - avatar