XSS within Interact

Cross-Site Scripting

Interact is a content-rich intranet platform, we provide the ability to allow users to build out content such as pages, widgets, and workflows using HTML tags. As an example, some customers will showcase their content in a particular way by hosting third-party sites in pages or widgets using iFrames, or by the implementation of complex HTML accordions. By giving the ability to store HTML tags within the intranet there is the potential that a user could inject client-side scripts with malicious intent into the pages viewed by others. This is known as a persisted XSS (Cross-Site Scripting) attack.

Interact offers the ability for administrators to enable or disable individual tags for both public and privileged actions.

There are no Reflected XSS attack vulnerabilities within Interact.

Public and Privileged Actions

Actions within Interact fall into two categories – public actions and privileged actions. The category that an action falls into depends broadly on the type of content that is being affected. The creation of content, such as creating a new page of content, or a blog post is considered a privileged action because it requires additional permission to be allocated to the user in order to complete the action.

A response to content, such as commenting on a page or posting on a forum, is considered a public action, which does not require additional permissions.

For example, the ability to create a new page of content, requires ‘Content Author’ permissions within a content area, so this is considered a privileged action, however, any user within Interact can comment on a timeline post without additional privileges so this is considered a public action.

This allows organizations to build governance policies around these actions, and to ensure that only trusted users can use the relevant HTML tags.

Tags

HTML tags can be individually classified by risk. Some tags such as <script> present more of a direct risk than others (e.g. <iframe>). Interact allows a customer to configure which individual HTML tags can be used within their content and which should be restricted. However, in some cases, one tag can be used to inject another tag with greater risk (e.g. inline styles can be used to perform XSS attacks without the use of a script tag).

In some cases, the restriction of HTML tags will prevent features from being used to Interact. If the use of <iframe> tag is restricted, embedding an iFrame inside a Freetext Widget will no longer work resulting in the loss of ability to present third party websites within your homepage.

When determining which (if any) HTML tags can be used within Interact a customer should consider the potential loss of functionality versus the risk that using HTML tags may present. This should be discussed with the support team, who can then make the required amendments.

The tags that are available to be disabled are listed below, each tag can be disabled for each category of action individually and independently of the other categories. For example, it’s possible to disable the script tag for public actions, but enable them for privileged actions.

The available tags are <script>, <iframe>, <form>, <object>, <embed>, <link>, <head>, <meta>, <style>.

Configuration

By default, all tags are enabled for both privileged and public actions. If you would like to make any changes to the configuration of the different tags please contact the Interact service desk who will be able to make the required changes for you.

Workflow & Forms

The Workflow & Forms application allows administrators to build HTML forms to reflect business processes in electronic form. By design, Interact allows administrators to add any HTML tag without restriction when building a form.

When a user is completing a form, they are prevented from adding HTML tags to their responses to questions.