Page 1 of 1

XSS attacks on location window

Posted: Sat Sep 13, 2014 1:20 pm
by cap2cap10
Hello,again members of the PHP Technorati. I come to you with a question concerning cross site scripting attacks using the browser's location window. I have script and I wish to know how I would sanitize any scripting attack that uses the location window:

Code: Select all

<?php

 $page_files=array( 'about'=>'about.html',

                    'photos'=>'photos.html',

                    'contact'=>'contact.html',

                    'home'=>'home.html'

                  );

 

if (in_array($_GET['page'],array_keys($page_files))) {

      include $page_files[$_GET['page']];

 } else {

      include $page_files['home'];

}

?>
So, could I use Filter_input anywhere or any other technique to sanitize incoming page requests with malicious code?

Thanks in advance.

Batoe :drunk:

Re: XSS attacks on location window

Posted: Sat Sep 13, 2014 6:39 pm
by requinix
XSS happens in HTML and Javascript. Not in PHP code. What you've posted has nothing to do with it.

Re: XSS attacks on location window

Posted: Sat Sep 13, 2014 6:51 pm
by cap2cap10
really?

http://yoursite.com/details.php?id=x+on ... (/hacked/)

What will be the result of this in the location window in the Browser?
I wish to know how to use php to block this vulnerability. Specifically how do you sanitize urls using php?

respectfully,


Batoe

Re: XSS attacks on location window

Posted: Sat Sep 13, 2014 7:55 pm
by requinix
And the result of that is HTML or Javascript that has the XSS in it. Poor choice of words on my part: the fix is in the PHP code.

So in the code you posted, where are you outputting HTML or Javascript? You aren't. That's why it's not vulnerable.

Re: XSS attacks on location window

Posted: Sat Sep 13, 2014 8:20 pm
by cap2cap10
OK, I see what you are getting at. You are saying that this script does not allow xss attacks since it doesn't allow the user to input HTML or Javascript code. it will automatically send the user to the any page listed within the array. I think I get it. Please excuse my ignorance. I am trying to create a web application that offers protection from external attacks but I don't want to implement a framework that will deobfuscate my code and show the organization of files revealing the functionality of my scripts. Thanks again for your input.

Sincerely,

Batoe

Re: XSS attacks on location window

Posted: Sat Sep 13, 2014 9:13 pm
by requinix
cap2cap10 wrote:OK, I see what you are getting at. You are saying that this script does not allow xss attacks since it doesn't allow the user to input HTML or Javascript code.
Almost. It does take "user" input: the page name. But you aren't putting that into any HTML (in that code) so there's nothing to do.
There is a different sort of vulnerability with what you're doing, "remote file inclusion", but you've already protected yourself against it by using a whitelist of allowed values. So I didn't mention it before.
cap2cap10 wrote:I am trying to create a web application that offers protection from external attacks but I don't want to implement a framework that will deobfuscate my code and show the organization of files revealing the functionality of my scripts.
A good idea, but don't be absolutely paranoid about. If you were, the "page" would be, like, random strings and you'd have a mapping of each to the underlying filename, but that's just silly. Not to mention a hassle for anybody who has to work with the code.

What you have there is a router script which is something that routes a request to... someplace. In your case it routes to a file. So you should be considering vulnerabilities with that sort of behavior; besides the one I mentioned (and you've addressed), I can't think of any of the top of my head. Though if you did database lookups or something, there would be potential vulnerabilities with that part of it.

For XSS you should be looking at the various files. On that note, are they static HTML or PHP? If they're HTML then there's no risk - however you shouldn't be using include() because that will attempt to execute anything that looks like PHP code within. (Go for readfile instead.) If they're PHP then there is, of course, risk but I'd ask why they're named ".html".
Another thing to think about is whether you want people to access the files directly. Given "index.php?page=about" it's not a big jump to conclude there's an "about.html" too. Your router script doesn't do anything besides go directly into the files so there wouldn't be any difference in the result, but you should try to remove any sort of duplication.