XSS mitigation by sanitizing user inputs with bleach

owasp-top10-2021-apps/a3/copy-n-paste/app/util/db.go

@@ -46,8 +46,8 @@ func AuthenticateUser(user string, pass string) (bool, error) {
 	}
 	defer dbConn.Close()
 
-	query := fmt.Sprint("select * from Users where username = '" + user + "'")
-	rows, err := dbConn.Query(query)
+	query := ("SELECT * FROM Users WHERE username = ?")
+	rows, err := dbConn.Query(query, user)
 	if err != nil {
 		return false, err
 	}
@@ -88,12 +88,12 @@ func NewUser(user string, pass string, passcheck string) (bool, error) {
 	}
 	defer dbConn.Close()
 
-	query := fmt.Sprint("insert into Users (username, password) values ('" + user + "', '" + passHash + "')")
-	rows, err := dbConn.Query(query)
+	query := ("INSERT INTO Users (username, password) VALUES (?, ?)")
+	rows, err := dbConn.Exec(query, user, passHash)
 	if err != nil {
 		return false, err
 	}
-	defer rows.Close()
+
 
 	fmt.Println("User created: ", user)
 	return true, nil //user created
@@ -108,8 +108,8 @@ func CheckIfUserExists(username string) (bool, error) {
 	}
 	defer dbConn.Close()
 
-	query := fmt.Sprint("select username from Users where username = '" + username + "'")
-	rows, err := dbConn.Query(query)
+	query := ("SELECT username FROM Users WHERE username = ?")
+	rows, err := dbConn.Query(query, username)
 	if err != nil {
 		return false, err
 	}
@@ -126,16 +126,16 @@ func InitDatabase() error {
 
 	dbConn, err := OpenDBConnection()
 	if err != nil {
-		errOpenDBConnection := fmt.Sprintf("OpenDBConnection error: %s", err)
+		errOpenDBConnection := ("OpenDBConnection error: %s" + err)
 		return errors.New(errOpenDBConnection)
 	}
 
 	defer dbConn.Close()
 
-	queryCreate := fmt.Sprint("CREATE TABLE Users (ID int NOT NULL AUTO_INCREMENT, Username varchar(20), Password varchar(80), PRIMARY KEY (ID))")
+	queryCreate := ("CREATE TABLE Users (ID int NOT NULL AUTO_INCREMENT, Username varchar(20), Password varchar(80), PRIMARY KEY (ID))")
 	_, err = dbConn.Exec(queryCreate)
 	if err != nil {
-		errInitDB := fmt.Sprintf("InitDatabase error: %s", err)
+		errInitDB := ("InitDatabase error: %s" + err)
 		return errors.New(errInitDB)
 	}
 

owasp-top10-2021-apps/a3/copy-n-paste/postRequest.txt

@@ -0,0 +1,10 @@
+
+POST /login HTTP/1.1
+Host: 127.0.0.1:10001
+User-Agent: curl/7.54.0
+Accept: */*
+Content-Type: application/json
+Content-Lenght: 31
+
+{"user":"-1' UNION SELECT 1,2,sleep(5) -- ", "pass":"password"}
+

owasp-top10-2021-apps/a3/gossip-world/app/model/db.py

@@ -2,6 +2,7 @@
 # -*- coding: utf-8 -*-
 
 import MySQLdb
+import bleach
 
 
 class DataBase:
@@ -143,6 +144,10 @@ def get_comments(self, id):
         return comments, 1
 
     def post_comment(self, author, comment, gossip_id, date):
+        allowed_tags = ['b', 'i', 'u', 'em', 'strong', 'a']
+        allowed_attrs = {'a': ['href', 'title']}
+
+        clean_comment = {bleach.clean(comment, tags=allowed_tags, attributes=allowed_attrs)}
         try:
             self.c.execute(
                 'INSERT INTO comments (author, comment, gossip_id, date) VALUES (%s, %s, %s, %s);',

owasp-top10-2021-apps/a3/gossip-world/app/requirements.txt

@@ -10,3 +10,4 @@ mysqlclient==1.3.13
 six==1.11.0
 visitor==0.1.3
 Werkzeug==0.14.1
+bleach==5.0.1

owasp-top10-2021-apps/a3/gossip-world/app/routes.py

@@ -7,6 +7,7 @@
 import os
 import uuid
 import datetime
+import bleach
 
 from flask import (
     Flask,
@@ -32,6 +33,8 @@
     app.config['MYSQL_PASSWORD'],
     app.config['MYSQL_DB'])
 
+allowed_tags = ['b', 'i', 'u', 'em', 'strong', 'a']
+allowed_attrs = {'a':['href', 'title']}
 
 def generate_csrf_token():
     '''
@@ -163,7 +166,7 @@ def all_gossips():
 @login_required
 def gossip(id):
     if request.method == 'POST':
-        comment = request.form.get('comment')
+        comment = bleach.clean(request.form.get('comment'), tags=allowed_tags, attributes=allowed_attrs)
         user = session.get('username')
         date = datetime.datetime.now()
         if comment == '':
@@ -198,9 +201,9 @@ def gossip(id):
 @login_required
 def newgossip():
     if request.method == 'POST':
-        text = request.form.get('text')
-        subtitle = request.form.get('subtitle')
-        title = request.form.get('title')
+        text = bleach.clean(request.form.get('text'), tags=allowed_tags, attributes=allowed_attrs)
+        subtitle = bleach.clean(request.form.get('subtitle'))
+        title = bleach.clean(request.form.get('title'))
         author = session.get('username')
         date = datetime.datetime.now()
         if author is None or text is None or subtitle is None or title is None: