XSS attacks on location window

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
cap2cap10
Forum Contributor
Posts: 158
Joined: Mon Apr 14, 2008 11:06 pm

XSS attacks on location window

Post by cap2cap10 »

Hello,again members of the PHP Technorati. I come to you with a question concerning cross site scripting attacks using the browser's location window. I have script and I wish to know how I would sanitize any scripting attack that uses the location window:

Code: Select all

<?php

 $page_files=array( 'about'=>'about.html',

                    'photos'=>'photos.html',

                    'contact'=>'contact.html',

                    'home'=>'home.html'

                  );

 

if (in_array($_GET['page'],array_keys($page_files))) {

      include $page_files[$_GET['page']];

 } else {

      include $page_files['home'];

}

?>
So, could I use Filter_input anywhere or any other technique to sanitize incoming page requests with malicious code?

Thanks in advance.

Batoe :drunk:
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: XSS attacks on location window

Post by requinix »

XSS happens in HTML and Javascript. Not in PHP code. What you've posted has nothing to do with it.
User avatar
cap2cap10
Forum Contributor
Posts: 158
Joined: Mon Apr 14, 2008 11:06 pm

Re: XSS attacks on location window

Post by cap2cap10 »

really?

http://yoursite.com/details.php?id=x+on ... (/hacked/)

What will be the result of this in the location window in the Browser?
I wish to know how to use php to block this vulnerability. Specifically how do you sanitize urls using php?

respectfully,


Batoe
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: XSS attacks on location window

Post by requinix »

And the result of that is HTML or Javascript that has the XSS in it. Poor choice of words on my part: the fix is in the PHP code.

So in the code you posted, where are you outputting HTML or Javascript? You aren't. That's why it's not vulnerable.
User avatar
cap2cap10
Forum Contributor
Posts: 158
Joined: Mon Apr 14, 2008 11:06 pm

Re: XSS attacks on location window

Post by cap2cap10 »

OK, I see what you are getting at. You are saying that this script does not allow xss attacks since it doesn't allow the user to input HTML or Javascript code. it will automatically send the user to the any page listed within the array. I think I get it. Please excuse my ignorance. I am trying to create a web application that offers protection from external attacks but I don't want to implement a framework that will deobfuscate my code and show the organization of files revealing the functionality of my scripts. Thanks again for your input.

Sincerely,

Batoe
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: XSS attacks on location window

Post by requinix »

cap2cap10 wrote:OK, I see what you are getting at. You are saying that this script does not allow xss attacks since it doesn't allow the user to input HTML or Javascript code.
Almost. It does take "user" input: the page name. But you aren't putting that into any HTML (in that code) so there's nothing to do.
There is a different sort of vulnerability with what you're doing, "remote file inclusion", but you've already protected yourself against it by using a whitelist of allowed values. So I didn't mention it before.
cap2cap10 wrote:I am trying to create a web application that offers protection from external attacks but I don't want to implement a framework that will deobfuscate my code and show the organization of files revealing the functionality of my scripts.
A good idea, but don't be absolutely paranoid about. If you were, the "page" would be, like, random strings and you'd have a mapping of each to the underlying filename, but that's just silly. Not to mention a hassle for anybody who has to work with the code.

What you have there is a router script which is something that routes a request to... someplace. In your case it routes to a file. So you should be considering vulnerabilities with that sort of behavior; besides the one I mentioned (and you've addressed), I can't think of any of the top of my head. Though if you did database lookups or something, there would be potential vulnerabilities with that part of it.

For XSS you should be looking at the various files. On that note, are they static HTML or PHP? If they're HTML then there's no risk - however you shouldn't be using include() because that will attempt to execute anything that looks like PHP code within. (Go for readfile instead.) If they're PHP then there is, of course, risk but I'd ask why they're named ".html".
Another thing to think about is whether you want people to access the files directly. Given "index.php?page=about" it's not a big jump to conclude there's an "about.html" too. Your router script doesn't do anything besides go directly into the files so there wouldn't be any difference in the result, but you should try to remove any sort of duplication.
Post Reply