Page 1 of 1
PHP XSS
Posted: Mon Aug 03, 2009 4:38 pm
by Foxy999
How to prevent people from injecting code with this:
Code: Select all
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
This is straight from the xss cheat sheet at ha.ckers.org
Foxy
Re: PHP XSS
Posted: Tue Aug 04, 2009 12:36 pm
by tr0gd0rr
Try running any rich-text posts through
HTMLPurifier. It takes a strict whitelist approach to HTML scrubbing with a full HTML parser.
Re: PHP XSS
Posted: Tue Aug 04, 2009 1:33 pm
by jackpf
I'm just curious - what's supposed to be vulnerable to this code?
Re: PHP XSS
Posted: Tue Aug 04, 2009 2:29 pm
by tr0gd0rr
I don't know how it works, but I just ran the following in my Firebug console on this site and it opens up an alert box with the text "XSS".
Code: Select all
document.getElementById('site-description').innerHTML = "';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>";
But for example the following does not produce an alert:
Code: Select all
document.getElementById('site-description').innerHTML = "<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>";
So something about the "garbage" at the beginning must be crucial to the hack.
Re: PHP XSS
Posted: Wed Aug 05, 2009 8:46 am
by mabwi
jackpf wrote:I'm just curious - what's supposed to be vulnerable to this code?
This particular code isn't anything bad, but that site uses alerts to show you when you have a vulnerability that could be attacked by malicious code.
Re: PHP XSS
Posted: Thu Aug 06, 2009 8:08 am
by jackpf
Oh right...well that seems kind of pointless. Surely it'd be easier just to put
in the div instead?
Sorry if I'm being stupid, I just don't see the point

Re: PHP XSS
Posted: Thu Aug 06, 2009 12:00 pm
by tr0gd0rr
That may not be the best example, but the examples on
http://ha.ckers.org/xss.html show that it is extremely difficult to write a set of regexes or otherwise a black-list filter that can detect all attacks. The following are some examples from xss.html that would require particularly complex regexes to detect.
Code: Select all
<IMG SRC=javascript:alert('XSS')><<SCRIPT>alert("XSS");//<</SCRIPT>
<iframe src=http://ha.ckers.org/scriptlet.html <
žscriptualert(EXSSE)ž/script
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
That is one reason why BBCode and other markups are popular: no HTML tags are allowed at all. And of course, the alert() is just one example of a javascript snippet that could do harm. An actual hack would involve capturing keystrokes and sending them to some server via ajax or reading private data using ActiveX or who knows what else.
I ran into a vulnerability, for example, where the display of a username was not escaped on a customer service app with financial info. It would potentially allow a hacker to set a short snippet as their username and inject a keylogger that would persist in a parent frame. All you would need to do is call customer service. When they pull up that file, the CS agent would notice nothing out of the ordinary, but the script could extract info about other customer accounts when the CS agent pulled up other accounts on subsequent calls.
Re: PHP XSS
Posted: Thu Aug 06, 2009 12:46 pm
by jackpf
Ahh yes, I understand that. Another trick would be to request an image, with document.cookie in the query string. The image could in fact be a script that logs the cookies in the database.....
Although, with HTTP only cookies coming up now, that would be slightly less effective....
But anyway, surely you'd run htmlentities() or htmlspecialchars() on any data anyway. In that respect, you don't need "complicated regex" or whatever to prevent XSS like this, since it'd be converted to html entities anyway.
Re: PHP XSS
Posted: Fri Aug 07, 2009 1:04 pm
by kaisellgren
Obviously one of your scripts is vulnerable to XSS. As someone already mentioned, you can use HTML Purifier if you want users to be allowed to place HTML on your site. Otherwise, a simple htmlspecialchars() call with ENT_QUOTES and the correct encoding will be fine.
Re: PHP XSS
Posted: Sat Aug 15, 2009 9:49 pm
by Foxy999
I have tested this injection again on another page of my site, and I am not sure if it's vulnerable. It does not spawn alert boxes, but it adds some characters to my page, here's the injection:
Code: Select all
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
and this is what is added to my page:
Foxyy
Re: PHP XSS
Posted: Sun Aug 16, 2009 1:44 am
by kaisellgren
Is that from the source or the rendered HTML page?
Re: PHP XSS
Posted: Sun Aug 16, 2009 2:01 pm
by Foxy999
It's on the rendered page, that's why I think it might be vulnerable.
Foxy
Re: PHP XSS
Posted: Sun Aug 30, 2009 1:28 am
by kaisellgren
What's the HTML source code?