Encryption and XSS protection on client-side in web application

mary_joyg231170

20-08-2019

Hi everyone.

I created a web application for seminar registration in Adobe Campaign Classic v7.

This is my workflow:

1817511_pastedImage_0.png

Client wants to apply encryption and XSS protection on the client and server side to the payload before submitting it.
I have checked built-in functions in Campaign such as cryptString(), decryptString() and NL.JS.escape().

This is my script inside the Page activity:
      <script type="text/javascript">
          // <![CDATA[
          function formSubmit(e) {

              var firstName = document.getElementById("firstName").value;

              var email = document.getElementById("email").value;
              var memberId = document.getElementById("memberId").value;

              var mobile = document.getElementById("mobilePhone").value;

              document.controller.setValue('/ctx/vars/firstName', firstName);

              document.controller.setValue('/ctx/vars/email', email);
              document.controller.setValue('/ctx/vars/memberId', memberId);
              document.controller.setValue('/ctx/vars/mobile', mobile);

              document.controller.submit('next');

              return false;

          }
          // ]]>
      </script>

I tried to use the cryptString() during setValue like this:
          document.controller.setValue('/ctx/vars/memberId', '<%= cryptString("' + memberId + '")%>');
However, instead of encrypting the value entered in the textfield, it's actually encrypting the string " + memberId + ".
     
Is there any way we can do this?

Any help is greatly appreciated.

Accepted Solutions (1)

Accepted Solutions (1)

saikatk2447661

23-08-2019

Hi,

   document.controller.setValue() is running on client side. But cryptString is a server side function. I guess only way to solve this is to send the value to server unencrypted (just by document.controller.submit('next'); ). And then use a Script activity to do the encryption server side.

Thanks,

Saikat

Answers (5)

Answers (5)

mary_joyg231170

26-08-2019

Hi Saikat.

It's actually the other way around.

The web application I created submits user information (Page) and process it inside the Script activity.

Client wants two fields to be encrypted during transition for security purposes.

They also wants to apply escaping for XSS protection.

Do you have any advice on how to do this?

saikatk2447661

26-08-2019

Hi Mary,

When you are doing this, the server is serving the web page to the client after doing the encryption in server side. if you open the webapp in a browser, reload the page and check in developer mode, you must be seeing the encrypted value from the beginning.

If you are using https then you are already using standard encryption.

Thanks,

Saikat

mary_joyg231170

26-08-2019

Hi Saikat.

Thanks for your response.

Client wanted the encryption on the client-side as part of security. I did something like this:

      document.controller.setValue('/ctx/vars/memberId', '<%= cryptString("123456789")%>');

where I passed a hardcoded value and this works.

Is there no way that I can pass a variable inside cryptString? If it's not possible, is there other way to pass encrypted values from client side and decrypt it to server side? Or I just have to use third party encryption and decryption?

mary_joyg231170

22-08-2019

Hi Jon,
Thank you for your response.
I have tried the following:

  1. <%= cryptString(memberId) %>      --> [nms:webApp Error] ReferenceError: memberId is not defined
  2. '<%= cryptString(' + memberId + ') %>'    --> I removed the double quotes however, when I decrypted it in Script Activity, the value in the log is:
                         2019-08-20 14:38:23 decrypted memberId= + memberId +
                        2019-08-20 14:38:23 memberId=@uWgrIzsoAUuwWi0Ojk5aE/Ux2BbGdikIMNnXwQ8qsSM=
  3. cryptString(memberId)    --> no <%= %>. Error throws: Uncaught Reference type: cryptString not defined in the browser console

I thought there's just syntax error around this, however, I haven't figured it out yet.