Page 1 of 1
Strip Tags Bypass
Posted: Tue Feb 08, 2011 9:51 am
by fbatalha
Hello all,
I'm curious about a really small piece of code and would like to know the possible bypasses for it:
Code: Select all
<?php
$var = $_GET['type'];
echo "<input type='" . strip_tags($var) . "' >";
?>
I tried encoding my attack string in various ways but I am new and could not figure it out, mainly because of the ' '. Without it, i could do:
http://localhost/index.php?type=text onkeyup=javascript:alert(0)
Thanks in advance for your help,
Felipe.
Re: Strip Tags Bypass
Posted: Tue Feb 08, 2011 12:04 pm
by Weirdan
That's easy:
Code: Select all
$var = "' onmouseover=alert(document.cookie) ";
When you're outputting anything as an attribute value you need to pass it through htmlspecialchars($var, ENT_QUOTES);
Re: Strip Tags Bypass
Posted: Tue Feb 08, 2011 12:26 pm
by fbatalha
Thanks for the reply. You mean adding that line of code directly into the script, right? I am looking more at the client's side and the way he would inject code via the URL (which is then retrieved via $GET), because strip tags will escape the single quotes. I tested the function you recommended and it does the work given that the attribute is properly enclosed with ' ', correct?
Thank you!
Re: Strip Tags Bypass
Posted: Tue Feb 08, 2011 12:42 pm
by fbatalha
Sorry, of couse, escaping it with a \ will not work as html will still handle the single quote. I managed to attack it with the following:
http://localhost/index.php?type=text' onkeyup=javascript:alert(document.cookie)>
Which resulted on the following html source code:
<input type='text\' onkeyup=javascript:alert(document.cookie)>' >
Thanks!
Re: Strip Tags Bypass
Posted: Tue Feb 08, 2011 12:48 pm
by Weirdan
fbatalha wrote: I tested the function you recommended and it does the work given that the attribute is properly enclosed with ' ', correct?
it would work for attributes enclosed in either single ('...') or double ("...") quotes.
Re: Strip Tags Bypass
Posted: Wed Feb 09, 2011 8:56 am
by fbatalha
Let's say I output arbitrary data to an html comment tag using htmlspecialchars(), like this:
Code: Select all
<?php
$var = $_GET['type'];
echo "<!--" . htmlspecialchars($var) . " -->";
?>
It is safe because I can't break the context as long as htmlspecialchars() encode '>'. Is this correct or there are some ways of bypassing it given that it is inside a commentary?
Thanks.
Re: Strip Tags Bypass
Posted: Wed Feb 09, 2011 9:04 am
by Weirdan
It is safe because I can't break the context as long as htmlspecialchars() encode '>'.
Yes. Some Asian languages/encodings could require you to specify encoding explicitly. This is not needed for common European encodings, including utf8, latin-1, cp1251, cp1252 and most others.