Strip Tags Bypass

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
fbatalha
Forum Newbie
Posts: 5
Joined: Tue Feb 08, 2011 9:41 am

Strip Tags Bypass

Post by fbatalha »

Hello all,
I'm curious about a really small piece of code and would like to know the possible bypasses for it:

Code: Select all

<?php
$var = $_GET['type'];
echo "<input type='" . strip_tags($var) . "' >";
?>
I tried encoding my attack string in various ways but I am new and could not figure it out, mainly because of the ' '. Without it, i could do: http://localhost/index.php?type=text onkeyup=javascript:alert(0)

Thanks in advance for your help,
Felipe.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Strip Tags Bypass

Post by Weirdan »

That's easy:

Code: Select all

$var = "' onmouseover=alert(document.cookie) ";
When you're outputting anything as an attribute value you need to pass it through htmlspecialchars($var, ENT_QUOTES);
fbatalha
Forum Newbie
Posts: 5
Joined: Tue Feb 08, 2011 9:41 am

Re: Strip Tags Bypass

Post by fbatalha »

Thanks for the reply. You mean adding that line of code directly into the script, right? I am looking more at the client's side and the way he would inject code via the URL (which is then retrieved via $GET), because strip tags will escape the single quotes. I tested the function you recommended and it does the work given that the attribute is properly enclosed with ' ', correct?

Thank you!
fbatalha
Forum Newbie
Posts: 5
Joined: Tue Feb 08, 2011 9:41 am

Re: Strip Tags Bypass

Post by fbatalha »

Sorry, of couse, escaping it with a \ will not work as html will still handle the single quote. I managed to attack it with the following:

http://localhost/index.php?type=text' onkeyup=javascript:alert(document.cookie)>

Which resulted on the following html source code:

<input type='text\' onkeyup=javascript:alert(document.cookie)>' >

Thanks!
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Strip Tags Bypass

Post by Weirdan »

fbatalha wrote: I tested the function you recommended and it does the work given that the attribute is properly enclosed with ' ', correct?
it would work for attributes enclosed in either single ('...') or double ("...") quotes.
fbatalha
Forum Newbie
Posts: 5
Joined: Tue Feb 08, 2011 9:41 am

Re: Strip Tags Bypass

Post by fbatalha »

Let's say I output arbitrary data to an html comment tag using htmlspecialchars(), like this:

Code: Select all

<?php
$var = $_GET['type'];
echo "<!--" . htmlspecialchars($var) . " -->";
?>
It is safe because I can't break the context as long as htmlspecialchars() encode '>'. Is this correct or there are some ways of bypassing it given that it is inside a commentary?

Thanks.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Strip Tags Bypass

Post by Weirdan »

It is safe because I can't break the context as long as htmlspecialchars() encode '>'.
Yes. Some Asian languages/encodings could require you to specify encoding explicitly. This is not needed for common European encodings, including utf8, latin-1, cp1251, cp1252 and most others.
Post Reply