cap2cap10 wrote:OK, I see what you are getting at. You are saying that this script does not allow xss attacks since it doesn't allow the user to input HTML or Javascript code.
Almost. It does take "user" input: the page name. But you aren't putting that into any HTML (in that code) so there's nothing to do.
There is a different sort of vulnerability with what you're doing, "remote file inclusion", but you've already protected yourself against it by using a whitelist of allowed values. So I didn't mention it before.
cap2cap10 wrote:I am trying to create a web application that offers protection from external attacks but I don't want to implement a framework that will deobfuscate my code and show the organization of files revealing the functionality of my scripts.
A good idea, but don't be absolutely
paranoid about. If you were, the "page" would be, like, random strings and you'd have a mapping of each to the underlying filename, but that's just silly. Not to mention a hassle for anybody who has to work with the code.
What you have there is a router script which is something that routes a request to... someplace. In your case it routes to a file. So you should be considering vulnerabilities with that sort of behavior; besides the one I mentioned (and you've addressed), I can't think of any of the top of my head. Though if you did database lookups or something, there would be potential vulnerabilities with that part of it.
For XSS you should be looking at the various files. On that note, are they static HTML or PHP? If they're HTML then there's no risk - however you shouldn't be using include() because that will attempt to execute anything that looks like PHP code within. (Go for
readfile instead.) If they're PHP then there is, of course, risk but I'd ask why they're named ".html".
Another thing to think about is whether you want people to access the files directly. Given "index.php?page=about" it's not a big jump to conclude there's an "about.html" too. Your router script doesn't do anything besides go directly into the files so there wouldn't be any difference in the result, but you should try to remove any sort of duplication.