Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to protect from injection attacks when using KnockoutJS?

Our company was planning to use Knockoutjs but I found this link discussing security issues in KnockoutJS. They are saying that people can easily inject malicious code in data-bind attribute.

For example:

<script src="http://knockoutjs.com/downloads/knockout-2.3.0.js"></script>
<div data-bind="x:alert(1)" />
<script> 
    ko.applyBindings();
</script>

I do not have very good understanding about XSS attacks, and I do not know how many ways people can inject malicious code in web site.

  1. Can anyone tell me when a page is rendered on a client PC, then how people can inject this <div data-bind="x:alert(1)" /> just to get it work? Can anyone tell me how hackers can inject this in a page opened in browser?

  2. Can anyone tell me what other security issues there are for knockoutjs?

If it is not very safe then I will not use it.

I also got links discussing a bit about how to better secure knockoutjs:

  • http://brianmhunt.github.io/articles/knockout-plus-content-security-policy/
  • https://github.com/brianmhunt/knockout-secure-binding

Is anyone aware how to get fully secured knockoutjs? Because I have seen the tutorial for KnockoutJS and felt the learning curve is not high.

like image 694
Mou Avatar asked Feb 13 '15 10:02

Mou


1 Answers

"Securing knockout" is not how you prevent XSS.

You have to manage your XSS exposure in the first place regardless of how you are binding data to elements in your application and that starts with securing your page that has the knockout binding in the first place:

  • Validate input that would impact the return of that specific web page List item

  • Don't allow users to render html output provided by users without sanitizing it first

  • Don't allow untrusted 3rd parties to deliver script references or incorporate links from 3rd parties you don't trust.

Full list of how to prevent XSS is here:

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

You will notice that "not using knockout" is not on either of these lists and that most of the issues are related to managing user input and how it ends up in your script code. The same would be true of how user input ends up in your knockout binding.

Managing your knockout exposure by using the secure binding mechanism you linked above will reduce your potential surface area of attack.

But once you have a malicious piece of html returned by your server or linked in your page regardless whether you have knockout or not you have an XSS problem.

like image 110
C Tierney Avatar answered Sep 30 '22 05:09

C Tierney