Keep up the great work, Zoho is a great service.

Charles

yes this helps a lot. We are looking forward to get our hands on Zoho Creator as soon as you fix the bugs. keep us informed about any updated. Meanwhile, we are going to come up with a temporary solution for the application on our side.

cheers

For the normal json feed, you get all the data by default and not the first 100 entries alone. We do have the REST API and the callback function already but they are not yet documented.

I will explain here in detail

Consider this JSON feed http://creator.zoho.com/charles/json/266/ , of the view http://creator.zoho.com/charle...../view/266/

1. For Getting the raw data without any JavaScript variable,

http://creator.zoho.com/charles/json/266/raw=true

2. For call back functionality in javascript, you need to add an extra parameter callback=fnToCall where fnToCall is the callback function

http://creator.zoho.com/charle.....myfunction

3. As far as the REST API for filtering is concerned, it is kind of not human readable right now. But you can get the filtered JSON url by doing the following steps.

a) Filter the data in the List view by using Search feature.
b) After getting the results in the view, click “Export Data”
c) In the pop up dialog, copy the JSON feed link in the “Filtered Records” tab. This will give the filtered data of the view as JSON feed.

We will make the url human readable and writable in the near future so that it can be used as widely.

Hope this helps.

Thanks,
Charles

JSON feeds are also affected :). Also, if you provide a callback parameter for each feed, it will be great. For now, we have to abandon JSON and use Yahoo pipes to fetch XML from the database since it is the only safe option at the moment. Is there are a way to filter database entries on the fly by using a REST like interface or something? I also wonder how to fetch more then one JSON page at the time, since the maximum we can get at the moment is 100 entries. There are some tricks that we can use to get more but we are looking for a clean solution that is compatible with your application.

thanks

We need to handle this in more than one place in Zoho Creator. We might have to replace those characters in Form Input, deluge scripting, and in View Search. And we will have to test it in lot of places. So to get this done at the earliest, it might take next week end for us.

Thanks,
Charles

great. thanks for that.

We had a minor update today. It is a mere coincidence to have captcha field in today’s update. You can specify it in the “Form Properties” under “More Actions” in the Form Editor. So there you go.

And regarding the other xss vulnerabilities, we are yet to assess the amount of effort involved(though it seems to be small). I will update you tomorrow on this.

BTW, Thanks for sharing your tips in our forums. I will share my views at the earliest.

David,

I couldn’t agree more on that. It will be of immense value for Zoho to be served as the database. We are really excited to be part of your community.

Charles

Since the XSSDB project will largely utilise Zoho, it’ll be great for you guys to get some free security testing :)

when do you think the XSS bugs will be fixed?

.mario, yes. The database is moderated and I was thinking to add you and Kishor as top moderators. So, you guys will be in charge of the entire XSSDB machina. We can use the database for PHPIDS project as well. We can easily add another field into the database to provide a facilities for user to supply regex which can be used to match the discussed exploit. Or maybe we can create another mashup just for PHPIDS. I can help you out with these types of projects, since I have a large portion of the work already done, and now with the help of securls.com, the entire process will be even easier.

Let me know what do you think!

Hi,

My name is Petko D. Petkov, pdp (architect); and I am currently maintaining the GNUCITIZEN group at http://www.gnucitizen.org. I am really enjoying your service so far and I have implemented several security mashups on the top of it.

While playing with your Zoho Creator service, I discovered that you do not properly sanitize special meta characters. This results into persistent XSS on your site which can be easily implemented into a XSS Worm.

Here is a demonstration of the bug:

http://creator.zoho.com/pdp/xssdb/view/1/
http://creator.zoho.com/pdp/vi.....000007003/

Please do not destroy the database, it is currently in use. Let me know as soon as you verify the bug so I we can remove the malicious entries.

The fix is quite simple. Every time you display something, make sure that you use XML entities for the XML specific meta characters such as < and >. You can substitute them for &gt; and &lt;. Similar approach applies in cases where the user supplied data resides inside element attributes although you have to take care of ” (double) or ‘ (single) quotes as well, depending on whether you use double quote or single quote enclosed element attributes.

It is also recommended that you implement a captcha like component that we can use as part of the zoho forms. This feature will prevent bulk insertion attacks. Right now, everyone can abuse your forms. Users can still moderate their forms but the administrative overhead could become too much especially in situations where the database in use is quite large. If you make the captcha component optional, that will be great.

One additional question that I need to ask is about your business model. The truth is that Zoho provides good service but I cannot see what’s your business model. Are you planning to implement ads in the future? It is important that your users understand how your service may mutate in the future.

Thanks,
pdp

I’ll have a dig later why, but right now i have a report to do!

Nice one - but I am not sure if it makes sense to allow user generated content for the XSSDB (or are new vectors moderated?).

I would very much like to add my vectors, kishors solutions and the stuff that came up during pentesting the PHPIDS. Is there another interface that I can access?

Greetings,
.mario

Charles, thanks for that. Short after this response, I will email you guys the details of the XSS vulnerability I stumbled across while developing for your platform. I hope that you find the XSSDB project as noble as we do. Zoho Creator is a great service. Good job!

Kishor, yes I’ve seen your page but single page cheat sheets are quite hard to work with. This is exactly the same problem I had with RSnake’s cheat sheet as well. Moreover, how do we contribute new attack vectors? How can we inform website owners that their applications are vulnerable to whatever XSS attacks? This is the reason why we work so hard on XSSDB at the moment. By mashing up Zoho Creator with several other online tools we are planning to produce a decentralized Cross-site scripting warning system that everyone can use. Security researcher will benefit from the system by helping them perform better test and design more accurate XSS scanners. Website owners will benefit from the instant feedback. It is open and it is free. Everyone is welcome to mashup this service with their data. In fact, we encourage it.

You need to enable javascript ofcourse and popups in order to be able to use UI.

Mario has his XML version of XSS vectors at http://mario.heideri.ch/xss.xml

Thanks for choosing Zoho Creator as the database for maintaining the DB for XSS. We will make sure Zoho Creator is fool proof against all the xss vulnerabilities. We assure you will have the best and a secured service from Zoho Creator.

Regards,
Charles
Zoho Creator

it is my suggestion to readers of this post that they make sure http referers are off and that they are using an adequately anonymous proxy before copy, pasting, and properly modifying this url (there are extra dots in the domain name)

http://www..v.e.n.o.m.-.i.n.c......showuser=1