You need to sign in to do that
Don't have an account?
Naresh Kukreti
Identify Potential Cross-Site Scripting Vectors
To complete this challenge, you need to identify locations in code where cross-site scripting is possible. Navigate to the Built-In XSS Protections Challenge tab within the Cross-site Scripting (XSS) application. You will see text output corresponding to merge fields in the Visualforce code. Locate any usage of the merge field "{!sampleMergeField}". Edit the code comment beneath the merge field to indicate whether or not this code block is vulnerable to cross-site scripting. For instance:
-If the code is vulnerable, the comment should appear as <!-- Line 10 is vulnerable to XSS: YES -- >
-If the code is not vulnerable, the comment should appear as <!-- Line 10 is vulnerable to XSS: NO -- >
I am getting following error
Challenge Not yet complete... here's what's wrong:
Looks like you incorrectly identified some potential cross-site scripting vectors. Please try again.
Please help me to complete this challenge
-If the code is vulnerable, the comment should appear as <!-- Line 10 is vulnerable to XSS: YES -- >
-If the code is not vulnerable, the comment should appear as <!-- Line 10 is vulnerable to XSS: NO -- >
I am getting following error
Challenge Not yet complete... here's what's wrong:
Looks like you incorrectly identified some potential cross-site scripting vectors. Please try again.
Please help me to complete this challenge
Please make sure that you have connected to to the Kingdom Management developer org.
Moreover, also use below text in input field box
Hope this helps you!
If this helps you, please mark it as solved choosing BestAnswer.
Thanks and Regards
Sandhya
<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
<apex:pageBlock >
<c:Classic_Error />
<apex:pageMessages />
<apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
<apex:outputText value="{!sampleMergeField1}"/>
<!-- sampleMergeField1 is vulnerable to XSS: NO -->
<apex:outputText value="{!sampleMergeField2}" escape="false"/>
<!-- sampleMergeField2 is vulnerable to XSS: YES -->
<apex:outputText >
{!sampleMergeField3}
</apex:outputText>
<!-- sampleMergeField3 is vulnerable to XSS: NO -->
<style>
.foo {
color: #{!sampleMergeField4};
}
</style>
<!-- sampleMergeField4 is vulnerable to XSS: YES -->
{!sampleMergeField5}
<!-- sampleMergeField5 is vulnerable to XSS: NO -->
<script>
var x = '{!sampleMergeField6}';
</script>
<!-- sampleMergeField6 is vulnerable to XSS: YES -->
<apex:outputLabel value="{!sampleMergeField7}" escape="false"/>
<!-- sampleMergeField7 is vulnerable to XSS: YES -->
</apex:pageBlockSection>
<apex:pageBlockSection title="Code links" columns="1">
<apex:outputPanel >
<ul>
<li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>
<li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
</ul>
</apex:outputPanel>
</apex:pageBlockSection>
</apex:pageBlock>
</apex:form>
</apex:page>
<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
<apex:pageBlock >
<c:Classic_Error />
<apex:pageMessages />
<apex:pageBlockSection title="Demo" columns="1" id="tableBlock">
<apex:outputText value="{!sampleMergeField1}"/>
<!-- sampleMergeField1 is vulnerable to XSS: NO -->
<apex:outputText value="{!sampleMergeField2}" escape="false"/>
<!-- sampleMergeField2 is vulnerable to XSS: YES -->
<apex:outputText >
{!sampleMergeField3}
</apex:outputText>
<!-- sampleMergeField3 is vulnerable to XSS: NO -->
<style>
.foo {
color: #{!sampleMergeField4};
}
</style>
<!-- sampleMergeField4 is vulnerable to XSS: YES -->
{!sampleMergeField5}
<!-- sampleMergeField5 is vulnerable to XSS: YES -->
<script>
var x = '{!sampleMergeField6}';
</script>
<!-- sampleMergeField6 is vulnerable to XSS: YES -->
<apex:outputLabel value="{!sampleMergeField7}" escape="false"/>
<!-- sampleMergeField7 is vulnerable to XSS: YES -->
</apex:pageBlockSection>
<apex:pageBlockSection title="Code links" columns="1">
<apex:outputPanel >
<ul>
<li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>
<li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
</ul>
</apex:outputPanel>
</apex:pageBlockSection>
</apex:pageBlock>
</apex:form>
</apex:page>
Is it not vulnerable to HTML XSS because of Salesforces's Auto HTML Escaping
BUT
It is vulnerable to Javascript XSS because that is not escapted automatically
To demonstrate, try changing the Apex code to this and then mouse over. You will see an alert box to
public string sampleMergeField5 {
get {
return '<div onmousemove="alert()">test data</div>';
}
set;
}