On Thu, Mar 4, 2021 at 8:43 AM [email protected] <[email protected]> wrote:
> Hello, > > Might be a slightly obscure topic but i've not been able to figure out > whether Apache Guacamole has any built in features or protections to > prevent > DOM based XSS attacks. > > We've had a security questionnaire come through which includes this as a > topic, i've included an OWASP link below. Are you able to provide any info > on whether there's something in place for this? > > "Some XSS vulnerabilities work exclusively on the client side, in an > application's scripting code. This kind of XSS is commonly referred to as > DOM-based XSS. Because server-side escaping of user input does not protect > against DOM-based XSS, you need a strategy for dealing with client-side > scripting code that handles user input, as well as parts of the DOM that > may > contain user input (such as document.location)" > > https://owasp.org/www-community/attacks/DOM_Based_XSS In Guacamole's case, all escaping is client-side: - There are no server-generated dynamic documents outside the static contents of the webapp and additional static contents provided by extensions. - Dynamic data comes to the client side only in the form of JSON responses to REST API requests, none of which are expected to be pre-escaped. - Neither data retrieved from the server (REST API) nor data obtained purely client-side (things like search filters) are ever simply concatenated into a document. Such data is only included using AngularJS' data binding, which is automatically escaped. Michael Jumper CEO, Lead Developer Glyptodon Inc <https://enterprise.glyptodon.com/>.
