PHP XSS

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Foxy999
Forum Commoner
Posts: 45
Joined: Sat Mar 21, 2009 11:50 am

PHP XSS

Post by Foxy999 »

How to prevent people from injecting code with this:

Code: Select all

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
This is straight from the xss cheat sheet at ha.ckers.org

Foxy
User avatar
tr0gd0rr
Forum Contributor
Posts: 305
Joined: Thu May 11, 2006 8:58 pm
Location: Utah, USA

Re: PHP XSS

Post by tr0gd0rr »

Try running any rich-text posts through HTMLPurifier. It takes a strict whitelist approach to HTML scrubbing with a full HTML parser.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: PHP XSS

Post by jackpf »

I'm just curious - what's supposed to be vulnerable to this code?
User avatar
tr0gd0rr
Forum Contributor
Posts: 305
Joined: Thu May 11, 2006 8:58 pm
Location: Utah, USA

Re: PHP XSS

Post by tr0gd0rr »

I don't know how it works, but I just ran the following in my Firebug console on this site and it opens up an alert box with the text "XSS".

Code: Select all

document.getElementById('site-description').innerHTML = "';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>";
But for example the following does not produce an alert:

Code: Select all

document.getElementById('site-description').innerHTML = "<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>";
So something about the "garbage" at the beginning must be crucial to the hack.
mabwi
Forum Commoner
Posts: 27
Joined: Wed Aug 01, 2007 4:51 pm

Re: PHP XSS

Post by mabwi »

jackpf wrote:I'm just curious - what's supposed to be vulnerable to this code?
This particular code isn't anything bad, but that site uses alerts to show you when you have a vulnerability that could be attacked by malicious code.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: PHP XSS

Post by jackpf »

Oh right...well that seems kind of pointless. Surely it'd be easier just to put

Code: Select all

<script>alert('hello');</script>
in the div instead?

Sorry if I'm being stupid, I just don't see the point 8O
User avatar
tr0gd0rr
Forum Contributor
Posts: 305
Joined: Thu May 11, 2006 8:58 pm
Location: Utah, USA

Re: PHP XSS

Post by tr0gd0rr »

That may not be the best example, but the examples on http://ha.ckers.org/xss.html show that it is extremely difficult to write a set of regexes or otherwise a black-list filter that can detect all attacks. The following are some examples from xss.html that would require particularly complex regexes to detect.

Code: Select all

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29><<SCRIPT>alert("XSS");//<</SCRIPT>
<iframe src=http://ha.ckers.org/scriptlet.html <
žscriptualert(EXSSE)ž/script
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
That is one reason why BBCode and other markups are popular: no HTML tags are allowed at all. And of course, the alert() is just one example of a javascript snippet that could do harm. An actual hack would involve capturing keystrokes and sending them to some server via ajax or reading private data using ActiveX or who knows what else.

I ran into a vulnerability, for example, where the display of a username was not escaped on a customer service app with financial info. It would potentially allow a hacker to set a short snippet as their username and inject a keylogger that would persist in a parent frame. All you would need to do is call customer service. When they pull up that file, the CS agent would notice nothing out of the ordinary, but the script could extract info about other customer accounts when the CS agent pulled up other accounts on subsequent calls.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: PHP XSS

Post by jackpf »

Ahh yes, I understand that. Another trick would be to request an image, with document.cookie in the query string. The image could in fact be a script that logs the cookies in the database.....

Although, with HTTP only cookies coming up now, that would be slightly less effective....



But anyway, surely you'd run htmlentities() or htmlspecialchars() on any data anyway. In that respect, you don't need "complicated regex" or whatever to prevent XSS like this, since it'd be converted to html entities anyway.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP XSS

Post by kaisellgren »

Obviously one of your scripts is vulnerable to XSS. As someone already mentioned, you can use HTML Purifier if you want users to be allowed to place HTML on your site. Otherwise, a simple htmlspecialchars() call with ENT_QUOTES and the correct encoding will be fine.
Foxy999
Forum Commoner
Posts: 45
Joined: Sat Mar 21, 2009 11:50 am

Re: PHP XSS

Post by Foxy999 »

I have tested this injection again on another page of my site, and I am not sure if it's vulnerable. It does not spawn alert boxes, but it adds some characters to my page, here's the injection:

Code: Select all

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
and this is what is added to my page:

Code: Select all

">'> ">
Foxyy
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP XSS

Post by kaisellgren »

Is that from the source or the rendered HTML page?
Foxy999
Forum Commoner
Posts: 45
Joined: Sat Mar 21, 2009 11:50 am

Re: PHP XSS

Post by Foxy999 »

It's on the rendered page, that's why I think it might be vulnerable.


Foxy
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP XSS

Post by kaisellgren »

What's the HTML source code?
Post Reply