XSS Exposed - how do I fix them?
Moderator: General Moderators
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
XSS Exposed - how do I fix them?
[text]index.php?page=search&search=<img src=x onerror=prompt(/XSSPOSED/)>[/text]
How do we stop these from generating the popup?
How do we stop these from generating the popup?
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: XSS Exposed - how do I fix them?
We are using PDO, but it still generates the dreaded popup.
But it might be because we don't "escape" it from being seen in the $variable in the screen. So search for "hats", and the word "hats" will appear, without being escaped.
So I assume we need to somehow escape the bad stuff in the $_GET ?? But how?
But it might be because we don't "escape" it from being seen in the $variable in the screen. So search for "hats", and the word "hats" will appear, without being escaped.
Code: Select all
if(isset($_GET['search']))
{
$search = $_GET['search'];
$_SESSION['search']=$search;
} else {
$search=$_SESSION['search'];
}
$count = 0;
$searchhead = $search;
$search=mysql_real_escape_string($_GET["search"]);Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: XSS Exposed - how do I fix them?
PDO and prepared statements help protect against SQL injection. This is something completely different. You're accepting user values and echoing them directly without filtering them. What you want here is to either wrap output in htmlspecialchars or use templates (Twig, Blade, etc) that will do it for you.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: XSS Exposed - how do I fix them?
Code: Select all
if(isset($_GET['search']))
{
$search = htmlspecialchars($_GET['search'], ENT_QUOTES);
$_SESSION['search']=$search;
} else {
$search=$_SESSION['search'];
}
Coz it isnt' working.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: XSS Exposed - how do I fix them?
No, you want to filter it prior to echoing. I don't even see output in your snippet of code.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: XSS Exposed - how do I fix them?
Code: Select all
$search = htmlspecialchars($_GET['search'], ENT_QUOTES);
if(isset($search))
{
$_SESSION['search']=$search;
} else {
$search=$_SESSION['search'];
}Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: XSS Exposed - how do I fix them?
We echo it like this:
So I can see the issue, but want to stamp it down right at the top. Be better if it threw the person to a custom 404 page.
So if I could establish what it is in our header files, and then chuck them out to a 404 IF the code is bad?!
Code: Select all
<div class='cat_head'>$num_rows results found for $search</div>So if I could establish what it is in our header files, and then chuck them out to a 404 IF the code is bad?!
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: XSS Exposed - how do I fix them?
Actually I can see the the Blog handles it perfectly, but just saying that text is bad. So I guess I just need to do it like that. But how.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: XSS Exposed - how do I fix them?
Code: Select all
<?php
$search = $_GET['search'];
// Prepared statement to prevent SQL injection
$query = "SELECT * FROM whatever WHERE name LIKE :search";
$stmt = $db->prepare($query);
$exec = $stmt->execute(['search' => '%' . $search . '%']);
$results = [];
if ($exec) {
$results = $stmt->fetchAll();
}
?>
<h1>Search Results</h1>
<?php /** Here we filter the _output_ to prevent XSS **/ ?>
<p>You searched for <?= htmlspecialchars($search); ?></p>
<?php foreach ($results as $result): ?>
...
<?php endforeach; ?>Re: XSS Exposed - how do I fix them?
That's a reasonably complete if somewhat contrived example.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: XSS Exposed - how do I fix them?
That's prevented the popup. So that's great.
It echoes the <> tag on screen, but that's fine.
But why is it producing 88 results?? When there is clearly nothing to be found?
It echoes the <> tag on screen, but that's fine.
But why is it producing 88 results?? When there is clearly nothing to be found?
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: XSS Exposed - how do I fix them?
I'm trying to see if I can override the result and if there is an < tag in there, replace "$search" with another word, like the main keyword for the site perhaps! but if I do this:
It doesn't work.
Code: Select all
if(preg_match('/</', $search))
{
$search = "shirts";
}Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: XSS Exposed - how do I fix them?
One has nothing to do with the other. htmlspecialchars is used prior to echoing output. That's it, that's all. Perhaps if you posted a more complete, meaningful block of code? Obfuscate anything identifying/sensitive, of course, but two line snippets in isolation are often meaningless.simonmlewis wrote:But why is it producing 88 results?? When there is clearly nothing to be found?
Re: XSS Exposed - how do I fix them?
Is this before or after htmlspecialchars? If after, the < will have been replaced by <simonmlewis wrote:I'm trying to see if I can override the result and if there is an < tag in there, replace "$search" with another word, like the main keyword for the site perhaps! but if I do this:
It doesn't work.Code: Select all
if(preg_match('/</', $search)) { $search = "shirts"; }