Page 1 of 1

PHP XSS

Posted: Mon Aug 03, 2009 4:38 pm
by Foxy999
How to prevent people from injecting code with this:

Code: Select all

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
This is straight from the xss cheat sheet at ha.ckers.org

Foxy

Re: PHP XSS

Posted: Tue Aug 04, 2009 12:36 pm
by tr0gd0rr
Try running any rich-text posts through HTMLPurifier. It takes a strict whitelist approach to HTML scrubbing with a full HTML parser.

Re: PHP XSS

Posted: Tue Aug 04, 2009 1:33 pm
by jackpf
I'm just curious - what's supposed to be vulnerable to this code?

Re: PHP XSS

Posted: Tue Aug 04, 2009 2:29 pm
by tr0gd0rr
I don't know how it works, but I just ran the following in my Firebug console on this site and it opens up an alert box with the text "XSS".

Code: Select all

document.getElementById('site-description').innerHTML = "';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>";
But for example the following does not produce an alert:

Code: Select all

document.getElementById('site-description').innerHTML = "<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>";
So something about the "garbage" at the beginning must be crucial to the hack.

Re: PHP XSS

Posted: Wed Aug 05, 2009 8:46 am
by mabwi
jackpf wrote:I'm just curious - what's supposed to be vulnerable to this code?
This particular code isn't anything bad, but that site uses alerts to show you when you have a vulnerability that could be attacked by malicious code.

Re: PHP XSS

Posted: Thu Aug 06, 2009 8:08 am
by jackpf
Oh right...well that seems kind of pointless. Surely it'd be easier just to put

Code: Select all

<script>alert('hello');</script>
in the div instead?

Sorry if I'm being stupid, I just don't see the point 8O

Re: PHP XSS

Posted: Thu Aug 06, 2009 12:00 pm
by tr0gd0rr
That may not be the best example, but the examples on http://ha.ckers.org/xss.html show that it is extremely difficult to write a set of regexes or otherwise a black-list filter that can detect all attacks. The following are some examples from xss.html that would require particularly complex regexes to detect.

Code: Select all

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29><<SCRIPT>alert("XSS");//<</SCRIPT>
<iframe src=http://ha.ckers.org/scriptlet.html <
žscriptualert(EXSSE)ž/script
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
That is one reason why BBCode and other markups are popular: no HTML tags are allowed at all. And of course, the alert() is just one example of a javascript snippet that could do harm. An actual hack would involve capturing keystrokes and sending them to some server via ajax or reading private data using ActiveX or who knows what else.

I ran into a vulnerability, for example, where the display of a username was not escaped on a customer service app with financial info. It would potentially allow a hacker to set a short snippet as their username and inject a keylogger that would persist in a parent frame. All you would need to do is call customer service. When they pull up that file, the CS agent would notice nothing out of the ordinary, but the script could extract info about other customer accounts when the CS agent pulled up other accounts on subsequent calls.

Re: PHP XSS

Posted: Thu Aug 06, 2009 12:46 pm
by jackpf
Ahh yes, I understand that. Another trick would be to request an image, with document.cookie in the query string. The image could in fact be a script that logs the cookies in the database.....

Although, with HTTP only cookies coming up now, that would be slightly less effective....



But anyway, surely you'd run htmlentities() or htmlspecialchars() on any data anyway. In that respect, you don't need "complicated regex" or whatever to prevent XSS like this, since it'd be converted to html entities anyway.

Re: PHP XSS

Posted: Fri Aug 07, 2009 1:04 pm
by kaisellgren
Obviously one of your scripts is vulnerable to XSS. As someone already mentioned, you can use HTML Purifier if you want users to be allowed to place HTML on your site. Otherwise, a simple htmlspecialchars() call with ENT_QUOTES and the correct encoding will be fine.

Re: PHP XSS

Posted: Sat Aug 15, 2009 9:49 pm
by Foxy999
I have tested this injection again on another page of my site, and I am not sure if it's vulnerable. It does not spawn alert boxes, but it adds some characters to my page, here's the injection:

Code: Select all

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
and this is what is added to my page:

Code: Select all

">'> ">
Foxyy

Re: PHP XSS

Posted: Sun Aug 16, 2009 1:44 am
by kaisellgren
Is that from the source or the rendered HTML page?

Re: PHP XSS

Posted: Sun Aug 16, 2009 2:01 pm
by Foxy999
It's on the rendered page, that's why I think it might be vulnerable.


Foxy

Re: PHP XSS

Posted: Sun Aug 30, 2009 1:28 am
by kaisellgren
What's the HTML source code?