Page 1 of 2
XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 5:57 am
by simonmlewis
[text]index.php?page=search&search=<img src=x onerror=prompt(/XSSPOSED/)>[/text]
How do we stop these from generating the popup?
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:08 am
by simonmlewis
We are using PDO, but it still generates the dreaded popup.
But it might be because we don't "escape" it from being seen in the $variable in the screen. So search for "hats", and the word "hats" will appear, without being escaped.
Code: Select all
if(isset($_GET['search']))
{
$search = $_GET['search'];
$_SESSION['search']=$search;
} else {
$search=$_SESSION['search'];
}
$count = 0;
$searchhead = $search;
$search=mysql_real_escape_string($_GET["search"]);
So I assume we need to somehow escape the bad stuff in the $_GET ?? But how?
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:19 am
by Celauran
PDO and prepared statements help protect against SQL injection. This is something completely different. You're accepting user values and echoing them directly without filtering them. What you want here is to either wrap output in
htmlspecialchars or use templates (Twig, Blade, etc) that will do it for you.
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:20 am
by Celauran
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:26 am
by simonmlewis
Code: Select all
if(isset($_GET['search']))
{
$search = htmlspecialchars($_GET['search'], ENT_QUOTES);
$_SESSION['search']=$search;
} else {
$search=$_SESSION['search'];
}
Like this?
Coz it isnt' working.
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:28 am
by Celauran
No, you want to filter it prior to echoing. I don't even see output in your snippet of code.
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:30 am
by simonmlewis
Code: Select all
$search = htmlspecialchars($_GET['search'], ENT_QUOTES);
if(isset($search))
{
$_SESSION['search']=$search;
} else {
$search=$_SESSION['search'];
}
More like this?
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:33 am
by simonmlewis
We echo it like this:
Code: Select all
<div class='cat_head'>$num_rows results found for $search</div>
So I can see the issue, but want to stamp it down right at the top. Be better if it threw the person to a custom 404 page.
So if I could establish what it is in our header files, and then chuck them out to a 404 IF the code is bad?!
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:34 am
by simonmlewis
Actually I can see the the Blog handles it perfectly, but just saying that text is bad. So I guess I just need to do it like that. But how.
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:36 am
by Celauran
Code: Select all
<?php
$search = $_GET['search'];
// Prepared statement to prevent SQL injection
$query = "SELECT * FROM whatever WHERE name LIKE :search";
$stmt = $db->prepare($query);
$exec = $stmt->execute(['search' => '%' . $search . '%']);
$results = [];
if ($exec) {
$results = $stmt->fetchAll();
}
?>
<h1>Search Results</h1>
<?php /** Here we filter the _output_ to prevent XSS **/ ?>
<p>You searched for <?= htmlspecialchars($search); ?></p>
<?php foreach ($results as $result): ?>
...
<?php endforeach; ?>
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:38 am
by Celauran
That's a reasonably complete if somewhat contrived example.
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:46 am
by simonmlewis
That's prevented the popup. So that's great.
It echoes the <> tag on screen, but that's fine.
But why is it producing 88 results?? When there is clearly nothing to be found?
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:48 am
by simonmlewis
I'm trying to see if I can override the result and if there is an < tag in there, replace "$search" with another word, like the main keyword for the site perhaps! but if I do this:
Code: Select all
if(preg_match('/</', $search))
{
$search = "shirts";
}
It doesn't work.
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:53 am
by Celauran
simonmlewis wrote:But why is it producing 88 results?? When there is clearly nothing to be found?
One has nothing to do with the other. htmlspecialchars is used prior to echoing output. That's it, that's all. Perhaps if you posted a more complete, meaningful block of code? Obfuscate anything identifying/sensitive, of course, but two line snippets in isolation are often meaningless.
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:54 am
by Celauran
simonmlewis wrote:I'm trying to see if I can override the result and if there is an < tag in there, replace "$search" with another word, like the main keyword for the site perhaps! but if I do this:
Code: Select all
if(preg_match('/</', $search))
{
$search = "shirts";
}
It doesn't work.
Is this before or after htmlspecialchars? If after, the < will have been replaced by <