Reducing Cross Site Scripting Chances

[evanlurvey]

I want to start with I really like how forms are done in solid start. I think the whole project is super cool and I am actively building with it.

When playing with it I noticed that when javascript is disabled and a post is submitted a redirect containing encoded form data and errors comes back. For example try this link with the with-auth example project. You will see the error message has been tampered with. Some also say sensitive form data going over the wire in params is not desired typically.

I was thinking an easy way to solve this problem would to be some form of encryption with a secret that is generated at project creation, similar to how Django does their framework.

While on the topic of security since the forms are built in I think some type of csrf preventative should be encouraged in the docs if not standard in the framework.

[evanlurvey]

Also worth noting the signature method like a JWT or even just using a JWT could work also but that doesn't solve the potentially sensitive form field data going over the wire.

[atk]

If your HTTPS/HTTP2 connection is already compromised by a MITM-attack to reveal form field data without your users noticing, you cannot possibly prevent any attacks against your user You can try to prevent CSRF attacks in which a manipulated site attempts to send form field data from the user to your endpoint with all the cookies present by using a hidden CSRF token hidden that is submitted in the POST request body or headers to verify the source of the request and prevent such cases.

[evanlurvey]

Completely agree in regards to the man in the middle but there are many examples of a man in the middle that we see daily. An example would be proxy/checkpoint software an employer uses. Many of these record the uri with params but they do not record post body for the fear of sensitive data (they filter but do not log it in many cases).

Also agree CSRF tokens work great. They are not included by default which is another reason for striking up this conversation 🙂

The first mentioned scenario requires no MITM or compromised anything since it’s just a link with query params which is very common on the internet. It can also be prevented with encrypting that form data server side on the POST before returning in the redirect, then on the GET it can be decrypted. A signature or CSRF token on the GET would also work but wouldn’t obscure the payload

My goal for this conversation is to talk about: Does the core group care about these things or is it expected the end user mitigates these attacks?

Depending on outcome of that question we can then go into preferred implementation and then sling some PRs hopefully!