I was reading about Stored XSS via AJAX on Web Application Exploits and Defenses | | | | | | | | | | | Web Application Exploits and DefensesCross-Site Scripting(XSS) | | | | View on google-gruyere.apps... | Preview by Yahoo | | | | | where it says " Second, in the browser, Gruyere converts the JSON by usingJavascript's eval. In general, eval is verydangerous and should rarely be used. If it used, it must be used verycarefully, which is hardly the case here. We should be using the JSONparser which ensures that the string does not include any unsafecontent. The JSON parser is availableat json.org." So I'm wondering what does Dancer do? eval or uses a parser?
Hi Mike, These XSS attacks are Javascript-based, which means they operate on the user's browser. Dancer runs on the server and is written in Perl, so XSS attacks written to take advantage of the Javascript 'eval' command would have no effect on your Dancer app. Wikipedia has a useful article about XSS that should help clear up the confusion: https://en.wikipedia.org/wiki/Cross-site_scripting On 9 October 2015 at 01:53, Mike Cu <mike_cu80@yahoo.com> wrote:
I was reading about Stored XSS via AJAX on Web Application Exploits and Defenses
[image: image]
Web Application Exploits and Defenses Cross-Site Scripting (XSS) View on google-gruyere.apps... Preview by Yahoo
where it says " Second, in the browser, Gruyere converts the JSON by using Javascript's eval. In general, eval is very dangerous and should rarely be used. If it used, it must be used very carefully, which is hardly the case here. We should be using the JSON parser which ensures that the string does not include any unsafe content. The JSON parser is available at json.org."
So I'm wondering what does Dancer do? eval or uses a parser?
_______________________________________________ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
On Oct 9, 2015, at 10:33 AM, Amelia Ireland <aireland@lbl.gov> wrote:
These XSS attacks are Javascript-based, which means they operate on the user's browser. Dancer runs on the server and is written in Perl, so XSS attacks written to take advantage of the Javascript 'eval' command would have no effect on your Dancer app.
Additionally, ECMAScript 5.1 and 6 added JSON.parse() specifically to avoid the need to either use eval() or hand-roll a JSON parser: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Obj... Well-written client-side libraries like jQuery use JSON.parse() if available. jQuery doesn’t fall back on a hand-rolled parser, though, probably because it would add too much code, and would only be needed to support old browsers. It just uses a hidden form of eval() if JSON.parse() doesn’t exist. Therefore, security against XSS in this case depends on using a modern browser. As noted by MDN, that means any version of Chrome, Firefox 3.5+, IE 8+, Opera 10.5+, or Safari 4+. Notice that the only one of these that isn’t ancient by now is IE, which is why friends don’t let friends use IE. :)
participants (3)
-
Amelia Ireland -
Mike Cu -
Warren Young