Adobe Experience Manager Sites & More

khalidMomin · 12/16/16

I am facing an issue with an hacker, who is injecting scripts through URL. For ex:

localhost:4502/content/mypage/homepage.html?<script>alert("XSS");</script>

this is showing an alert with "XSS".

I want to disable all the special character. I tried adding filter in dispatcher, modifying .htaccess of my webserver and writing java-script handler, but none worked for me.

I am using some query parameters in my application, so cant block all query params.

Please help to stop this script injection.

jantzen_b · 12/19/16

Hi Khalid,

I was able to find a pretty good article on XSS attacks here. This is an external site, so please take any recommendations it makes as general advice as it is not Adobe certified content. Hopefully, some other community members can share some of their tactics for preventing these sort of attacks.

Best of luck,

Jantzen

kautuk_sahni · 12/22/16

I am not able to reproduce this behavior.

Have you implemented some custom code for handling query parameters?

If you are capturing some Query parameters, then i would suggest you to parse them and remove special characters.

like:- query= query.replace(/</g, "<").replace(/>/g, ">");

Or

function( query) {
return $( $.parseHTML(query) ).text();
}

If you explain your use-case and implementation we could help you more.

~kautuk

Kautuk Sahni

Feike_Visser1 · 12/22/16

For every implementation make sure all the output is escaped in the correct way.

Here a sheet with XSS examples:

https://docs.adobe.com/docs/en/cq/5-6-1/developing/securitychecklist/_jcr_content/par/download/file....

Adobe Experience Manager Sites & More

script injection through URL: how to resolve?

Kautuk Sahni

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe