[prev in list] [next in list] [prev in thread] [next in thread]
List: wsf-java-dev
Subject: Re: [Dev] Fwd: Security questions are encoded
From: Manuranga Perera <manu () wso2 ! com>
Date: 2017-02-28 9:55:51
Message-ID: CAMfZJhauQuZrm6F_UER-pkOVKy-zxxWSD0pJTQkMSMDuUyAxig () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
1) Please don't put inline JS in HTML, this is an old practice, people
don't do this anymore [1]. In fact, in my opinion, we should block that
using Content-Security-Policy
2) If you want to send information form backbend-JS to frountend-JS please
use sendToClient feature of UUF
[1] https://en.wikipedia.org/wiki/Unobtrusive_JavaScript
On Tue, Feb 28, 2017 at 6:23 AM, Nuwandi Wickramasinghe <nuwandiw@wso2.com>
wrote:
> Does this encoding work properly when sent in javascript attributes as
> well? I recently noticed that following type of calls do not work as
> expected if the value *question *contains a single quote.
>
> <a onclick="editQuestion('{{question}}')">
>
>
> On Tue, Jan 31, 2017 at 11:04 PM, Manuranga Perera <manu@wso2.com> wrote:
>
>> UUF automatically escaping sensitive characters [1]. Please don't use
>> 'encoding' for 'escaping'.
>>
>> [1] https://github.com/jknack/handlebars.java/blob/1f6c48e606dc1
>> 303d1e92a0a0eaa94120eba64fd/handlebars/src/main/java/com/
>> github/jknack/handlebars/EscapingStrategy.java#L82
>>
>> On Tue, Jan 31, 2017 at 5:23 PM, Jayanga Kaushalya <jayangak@wso2.com>
>> wrote:
>>
>>> Hi Manuranga,
>>>
>>> This is not because of a security reason. The security question set id
>>> may contains html special characters. So the set id is sent to the UI after
>>> encoding to Base64.
>>>
>>> Thanks!
>>>
>>> *Jayanga Kaushalya*
>>> Software Engineer
>>> Mobile: +94777860160 <+94%2077%20786%200160>
>>> WSO2 Inc. | http://wso2.com
>>> lean.enterprise.middleware
>>>
>>> On Tue, Jan 31, 2017 at 10:42 PM, Manuranga Perera <manu@wso2.com>
>>> wrote:
>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Manuranga Perera <manu@wso2.com>
>>>> Date: Tue, Jan 31, 2017 at 5:11 PM
>>>> Subject: Security questions are encoded
>>>> To: Johann Nallathamby <johann@wso2.com>, Jayanga Kaushalya <
>>>> jayangak@wso2.com>, Isura Karunaratne <isura@wso2.com>
>>>>
>>>>
>>>> Security questions are base64 encoded [1]. If they are encrypted (eg:
>>>> RSA) or hashed (eg SHA) I can understand that it's for security reasons.
>>>> All this does is obfuscation, poorly even at that, since base64 can be
>>>> easily decoded.
>>>>
>>>> Or is it done for non-security reasons, like escaping special
>>>> characters?
>>>>
>>>> [1] https://github.com/wso2/product-is/blob/6.0.x-C5_m3/portal/o
>>>> sgi-services/org.wso2.is.portal.user.client.api/src/main/jav
>>>> a/org/wso2/is/portal/user/client/api/ChallengeQuestionManage
>>>> rClientServiceImpl.java#L113
>>>>
>>>> --
>>>> With regards,
>>>> *Manu*ranga Perera.
>>>>
>>>> phone : 071 7 70 20 50
>>>> mail : manu@wso2.com
>>>>
>>>>
>>>>
>>>> --
>>>> With regards,
>>>> *Manu*ranga Perera.
>>>>
>>>> phone : 071 7 70 20 50
>>>> mail : manu@wso2.com
>>>>
>>>> _______________________________________________
>>>> Dev mailing list
>>>> Dev@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>
>>
>> --
>> With regards,
>> *Manu*ranga Perera.
>>
>> phone : 071 7 70 20 50
>> mail : manu@wso2.com
>>
>> _______________________________________________
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
>
> Best Regards,
>
> Nuwandi Wickramasinghe
>
> Software Engineer
>
> WSO2 Inc.
>
> Web : http://wso2.com
>
> Mobile : 0719214873
>
--
With regards,
*Manu*ranga Perera.
phone : 071 7 70 20 50
mail : manu@wso2.com
[Attachment #5 (text/html)]
<div dir="ltr">1) Please don't put inline JS in HTML, this is an old practice, \
people don't do this anymore [1]. In fact, in my opinion, we should block that \
using Content-Security-Policy<br>2) If you want to send information form backbend-JS \
to frountend-JS please use sendToClient feature of UUF<div><br>[1] <a \
href="https://en.wikipedia.org/wiki/Unobtrusive_JavaScript" \
target="_blank">https://en.wikipedia.org/wiki/<wbr>Unobtrusive_JavaScript</a><br></div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 28, 2017 at 6:23 AM, \
Nuwandi Wickramasinghe <span dir="ltr"><<a href="mailto:nuwandiw@wso2.com" \
target="_blank">nuwandiw@wso2.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Does this encoding work properly when sent in \
javascript attributes as well? I recently noticed that following type of calls do not \
work as expected if the value <span \
style="color:rgb(0,0,0);font-family:"dejavu sans \
mono";font-size:9pt"><b>question </b>contains a single \
quote.</span><div><br></div><div><pre \
style="color:rgb(0,0,0);font-family:"dejavu sans mono";font-size:9pt"><a \
onclick="editQuestion('{{<wbr>question}}')"></pre></div></div><div \
class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Tue, Jan 31, \
2017 at 11:04 PM, Manuranga Perera <span dir="ltr"><<a href="mailto:manu@wso2.com" \
target="_blank">manu@wso2.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">UUF automatically escaping sensitive \
characters [1]. Please don't use 'encoding' for \
'escaping'.<br><br>[1] <a \
href="https://github.com/jknack/handlebars.java/blob/1f6c48e606dc1303d1e92a0a0eaa94120 \
eba64fd/handlebars/src/main/java/com/github/jknack/handlebars/EscapingStrategy.java#L82" \
target="_blank">https://github.com/jknack/hand<wbr>lebars.java/blob/1f6c48e606dc1<wbr> \
303d1e92a0a0eaa94120eba64fd/<wbr>handlebars/src/main/java/com/<wbr>github/jknack/handlebars/<wbr>EscapingStrategy.java#L82</a><br></div><div \
class="m_-2569933622166176950HOEnZb"><div class="m_-2569933622166176950h5"><div \
class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 31, 2017 at 5:23 PM, \
Jayanga Kaushalya <span dir="ltr"><<a href="mailto:jayangak@wso2.com" \
target="_blank">jayangak@wso2.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Hi Manuranga,<div><br></div><div>This is not \
because of a security reason. The security question set id may contains html special \
characters. So the set id is sent to the UI after encoding to \
Base64.</div><div><br></div><div>Thanks!</div><div class="gmail_extra"><br \
clear="all"><div><div \
class="m_-2569933622166176950m_-9217335415596812887m_2980245044847640967m_-4165279626956971131gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><font \
style="background-color:rgb(255,255,255)" color="#666666">Jayanga \
Kaushalya</font></b></div><div><font color="#666666">Software \
Engineer</font></div><div><div style="font-size:12.8000001907349px"><font \
color="#999999"><font style="background-color:rgb(255,255,255)" face="arial, \
helvetica, sans-serif">Mobile:</font><font style="background-color:rgb(255,255,255)" \
face="arial, helvetica, sans-serif"> <a href="tel:+94%2077%20786%200160" \
value="+94777860160" target="_blank">+94777860160</a></font></font></div><div \
dir="ltr" style="font-size:12.8000001907349px"><font \
style="background-color:rgb(255,255,255)" face="arial, helvetica, sans-serif"><font \
color="#999999">WSO2 Inc. | </font><a href="http://wso2.com/" target="_blank"><font \
color="#0000ff">http://wso2.com</font></a><br><font \
color="#999999">lean.enterprise.middleware</font></font></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote"><div><div \
class="m_-2569933622166176950m_-9217335415596812887h5">On Tue, Jan 31, 2017 at 10:42 \
PM, Manuranga Perera <span dir="ltr"><<a href="mailto:manu@wso2.com" \
target="_blank">manu@wso2.com</a>></span> wrote:<br></div></div><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div><div \
class="m_-2569933622166176950m_-9217335415596812887h5"><div \
class="m_-2569933622166176950m_-9217335415596812887m_2980245044847640967m_-4165279626956971131HOEnZb"><div \
class="m_-2569933622166176950m_-9217335415596812887m_2980245044847640967m_-4165279626956971131h5"><div \
dir="ltr"><br><div class="gmail_quote">---------- Forwarded message \
----------<br>From: <b class="gmail_sendername">Manuranga Perera</b> <span \
dir="ltr"><<a href="mailto:manu@wso2.com" \
target="_blank">manu@wso2.com</a>></span><br>Date: Tue, Jan 31, 2017 at 5:11 \
PM<br>Subject: Security questions are encoded<br>To: Johann Nallathamby <<a \
href="mailto:johann@wso2.com" target="_blank">johann@wso2.com</a>>, Jayanga \
Kaushalya <<a href="mailto:jayangak@wso2.com" \
target="_blank">jayangak@wso2.com</a>>, Isura Karunaratne <<a \
href="mailto:isura@wso2.com" target="_blank">isura@wso2.com</a>><br><br><br><div \
dir="ltr">Security questions are base64 encoded [1]. If they are encrypted (eg: RSA) \
or hashed (eg SHA) I can understand that it's for security reasons. All this does \
is obfuscation, poorly even at that, since base64 can be easily decoded.<br><br>Or is \
it done for non-security reasons, like escaping special characters?<div><div><br>[1] \
<a href="https://github.com/wso2/product-is/blob/6.0.x-C5_m3/portal/osgi-services/org. \
wso2.is.portal.user.client.api/src/main/java/org/wso2/is/portal/user/client/api/ChallengeQuestionManagerClientServiceImpl.java#L113" \
target="_blank">https://github.com/wso2/produc<wbr>t-is/blob/6.0.x-C5_m3/portal/o<wbr> \
sgi-services/org.wso2.is.porta<wbr>l.user.client.api/src/main/jav<wbr>a/org/wso2/is/po \
rtal/user/clie<wbr>nt/api/ChallengeQuestionManage<wbr>rClientServiceImpl.java#L113</a><span \
class="m_-2569933622166176950m_-9217335415596812887m_2980245044847640967m_-4165279626956971131m_5332972912505772600HOEnZb"><font \
color="#888888"><br clear="all"><br>-- <br><div \
class="m_-2569933622166176950m_-9217335415596812887m_2980245044847640967m_-4165279626956971131m_5332972912505772600m_-8146989354882851711gmail_signature"><div \
dir="ltr"><div>With regards,<br><u>Manu</u>ranga Perera.<br><br></div><div>phone : \
071 7 70 20 50<br></div>mail : <a href="mailto:manu@wso2.com" \
target="_blank">manu@wso2.com</a><br></div></div> </font></span></div></div></div>
</div><br><br clear="all"><br>-- <br><div \
class="m_-2569933622166176950m_-9217335415596812887m_2980245044847640967m_-4165279626956971131m_5332972912505772600gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr"><div>With \
regards,<br><u>Manu</u>ranga Perera.<br><br></div><div>phone : 071 7 70 20 \
50<br></div>mail : <a href="mailto:manu@wso2.com" \
target="_blank">manu@wso2.com</a><br></div></div> </div>
</div></div><br></div></div>______________________________<wbr>_________________<br>
Dev mailing list<br>
<a href="mailto:Dev@wso2.org" target="_blank">Dev@wso2.org</a><br>
<a href="http://wso2.org/cgi-bin/mailman/listinfo/dev" rel="noreferrer" \
target="_blank">http://wso2.org/cgi-bin/mailma<wbr>n/listinfo/dev</a><br> \
<br></blockquote></div><br></div></div> </blockquote></div><br><br clear="all"><br>-- \
<br><div class="m_-2569933622166176950m_-9217335415596812887gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr"><div>With \
regards,<br><u>Manu</u>ranga Perera.<br><br></div><div>phone : 071 7 70 20 \
50<br></div>mail : <a href="mailto:manu@wso2.com" \
target="_blank">manu@wso2.com</a><br></div></div> </div>
</div></div><br>______________________________<wbr>_________________<br>
Dev mailing list<br>
<a href="mailto:Dev@wso2.org" target="_blank">Dev@wso2.org</a><br>
<a href="http://wso2.org/cgi-bin/mailman/listinfo/dev" rel="noreferrer" \
target="_blank">http://wso2.org/cgi-bin/mailma<wbr>n/listinfo/dev</a><br> \
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br></div></div><div \
class="m_-2569933622166176950gmail_signature" data-smartmail="gmail_signature"><div \
dir="ltr">
<p style="margin-bottom:0in;line-height:100%"><span \
style="font-family:verdana,sans-serif">Best Regards,</span></p><span \
style="font-family:verdana,sans-serif"> </span><p \
style="margin-bottom:0in;line-height:100%"><span \
style="font-family:verdana,sans-serif">Nuwandi Wickramasinghe</span></p><span \
style="font-family:verdana,sans-serif"> </span><p \
style="margin-bottom:0in;line-height:100%"><span \
style="font-family:verdana,sans-serif">Software Engineer</span></p><span \
style="font-family:verdana,sans-serif"> </span><p \
style="margin-bottom:0in;line-height:100%"><span \
style="font-family:verdana,sans-serif">WSO2 Inc.</span></p><span \
style="font-family:verdana,sans-serif"> </span><p \
style="margin-bottom:0in;line-height:100%"><span \
style="font-family:verdana,sans-serif">Web : <a href="http://wso2.com/" \
target="_blank">http://wso2.com</a></span></p><span \
style="font-family:verdana,sans-serif"> </span><p \
style="margin-bottom:0in;line-height:100%"><span \
style="font-family:verdana,sans-serif">Mobile : 0719214873</span></p>
</div></div>
</div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr"><div>With \
regards,<br><u>Manu</u>ranga Perera.<br><br></div><div>phone : 071 7 70 20 \
50<br></div>mail : <a href="mailto:manu@wso2.com" \
target="_blank">manu@wso2.com</a><br></div></div> </div>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic