Comments (7)
Can confirm
from phoenix-chat-example.
Working.
from phoenix-chat-example.
Essential reading:
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
Previous solution: dwyl/hapi-socketio-redis-chat-example@05dddee
Before wiping, the Heroku database has 2,851 rows:
I made a backup of the whole database before
wiping it.
https://stackoverflow.com/questions/20410873/how-can-i-browse-my-heroku-database
Suggested way of viewing the data is heroku pg:psql
which requires Heroku Toolbelt (CLI) dwyl/learn-heroku#36
heroku pg:psql --app phxchat
Success:
--> Connecting to postgresql-polished-92363
psql (11.3, server 10.10 (Ubuntu 10.10-1.pgdg16.04+1))
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
phxchat::DATABASE=>
Show the list of tables:
> \dt
List of relations
Schema | Name | Type | Owner
--------+-------------------+-------+----------------
public | messages | table | mivqshvphadfzt
public | schema_migrations | table | mivqshvphadfzt
(2 rows)
Re-familiarise myself with the columns:
> select * from messages LIMIT 1;
id | name | message | inserted_at | updated_at
----+--------+--------------+---------------------------+----------------------------
1 | Nelson | Hello World! | 2018-02-21 12:13:54.84891 | 2018-02-21 12:13:54.851826
(1 row)
Attempt to view the offending post that is causing the XSS:
> select * from messages ORDER BY inserted_at DESC LIMIT 30;
id | name | message | inserted_at | updated_at
------+---------+----------------------------------------+----------------------------+----------------------------
3180 | pinky | fuuuuck | 2019-09-01 01:28:52.767645 | 2019-09-01 01:28:52.77061
3179 | 4444 | 666 | 2019-08-31 15:29:28.965705 | 2019-08-31 15:29:28.965721
3178 | sdw | 2323 | 2019-08-31 15:29:12.025197 | 2019-08-31 15:29:12.02521
3177 | 4444 | 5555 | 2019-08-31 15:27:53.3946 | 2019-08-31 15:27:53.394615
3176 | 333 | 6666 | 2019-08-31 15:27:41.937965 | 2019-08-31 15:27:41.941574
3175 | M | Hey | 2019-08-30 06:59:27.39338 | 2019-08-30 06:59:27.400406
3174 | Me2 | whats up | 2019-08-30 03:00:41.120144 | 2019-08-30 03:00:41.125643
3173 | It's me | Hi | 2019-08-29 15:34:13.06095 | 2019-08-29 15:34:13.064761
3172 | o | cool | 2019-08-29 12:55:54.788471 | 2019-08-29 12:55:54.79282
3171 | Nittin | Why is it like this? | 2019-08-29 10:40:56.847504 | 2019-08-29 10:40:56.847517
3170 | Nittin | Why??? | 2019-08-29 10:40:37.447223 | 2019-08-29 10:40:37.447235
3169 | Nittin | A chat app must have two sides, right? | 2019-08-29 10:40:31.526535 | 2019-08-29 10:40:31.529909
3168 | Shankar | Yes I am very good | 2019-08-29 08:43:16.647496 | 2019-08-29 08:43:16.647509
3167 | Nittin | I hope you are good | 2019-08-29 08:43:04.189125 | 2019-08-29 08:43:04.189145
3166 | Nittin | how are you | 2019-08-29 08:42:57.375866 | 2019-08-29 08:42:57.375881
3165 | Nittin | hi | 2019-08-29 08:42:51.06797 | 2019-08-29 08:42:51.083134
3164 | wsedas | ?? | 2019-08-28 16:23:31.394724 | 2019-08-28 16:23:31.394738
3163 | ? | ? | 2019-08-28 16:23:03.591352 | 2019-08-28 16:23:03.595107
3162 | test | hi | 2019-08-28 06:01:55.9304 | 2019-08-28 06:01:55.934414
3161 | test | Yeey | 2019-08-27 12:42:27.146707 | 2019-08-27 12:42:27.146723
3160 | test | Oh my gosh! | 2019-08-27 12:42:16.010344 | 2019-08-27 12:42:16.013344
3159 | Joe | Hello | 2019-08-27 01:00:13.909619 | 2019-08-27 01:00:13.913643
3158 | ff | dddd | 2019-08-26 20:35:32.667296 | 2019-08-26 20:35:32.667315
3157 | ff | ff | 2019-08-26 20:35:11.698627 | 2019-08-26 20:35:11.701891
3156 | sd | asd | 2019-08-26 08:40:57.902399 | 2019-08-26 08:40:57.902414
3155 | sd | sdfsdf | 2019-08-26 08:40:53.896946 | 2019-08-26 08:40:53.900078
3154 | dads | adsasd | 2019-08-25 15:08:49.497721 | 2019-08-25 15:08:49.497735
3153 | sdTest | dsasdadas | 2019-08-25 15:08:32.086713 | 2019-08-25 15:08:32.086728
3152 | Test | cdcdcd | 2019-08-25 15:08:27.707088 | 2019-08-25 15:08:27.707106
3151 | Test | adsdsads | 2019-08-25 15:08:24.586681 | 2019-08-25 15:08:24.586695
Nothing ... π
from phoenix-chat-example.
After running:
pg_restore --verbose --clean --no-acl --no-owner -h localhost -d chat_dev production.dump
I looked through the data and there's so much junk ...
No shortage of people trying to inject scripts:
select * from messages WHERE message LIKE '%<script%';
Will wipe the data once I've confirmed that the sanitise
function is doing it's job.
from phoenix-chat-example.
Thanks for being the only one with the patience to do this @nelsonic!
from phoenix-chat-example.
π
Restarting ...
Error R10 (Boot timeout) -> Web process failed to bind to $PORT within 60 seconds of launch
Debug: gjaldon/heroku-buildpack-phoenix-static#73
Going to attempt to add http: [port: {:system, "PORT"}],
to config/prod.exs
... π¨βπ»
from phoenix-chat-example.
XSS no longer present on the page:
<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>
escaped:
Going to wipe the database now.
from phoenix-chat-example.
Related Issues (20)
- update readme links
- update links
- [CHORE] The walkthrough appears to be outdated (v1.6.14) HOT 3
- [Video Review] Letβs Build a Real Time Chat Application with Elixir and Phoenix HOT 3
- Add `Tailwind CSS` β¨ HOT 12
- Chore: Migrate demo app from Heroku to Fly.io HOT 2
- Chore: Remove `swoosh` from phoenix chat example [not used/needed]
- Bug: `/login` Internal Server Error HOT 7
- Chore: Comprehensively Update this Tutorial to `Phoenix v1.7` HOT 1
- Bug: Auth Not Working! - `Client_id not valid` HOT 10
- UI Bug: Message input field overlaps last message in thread
- Github action "deploy" failed HOT 9
- [Bug] Footer is not sticky to the bottom HOT 1
- "Extension" : channels for Real-time API backend. HOT 1
- Update to Phoenix v1.6 HOT 8
- mix setup fails on node 16.3 HOT 4
- Heroku Build/Start Failing HOT 13
- Order messages by date HOT 3
- Guest messages are not saved in Postgres HOT 2
- Add Dependabot to Update Dependencies
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from phoenix-chat-example.