XSS prevention

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

XSS prevention

Post by alex.barylski »

I need to propagate GET parameters from one script to another via an IFRAME:

Code: Select all

<iframe src="domain.com?<?php echo http_build_query($_GET); ?>"  />
Are there any potential exploits? What can I do to prevent this?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Treat GET data the same way that you always would. It's no more or less secure than any other GET request.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

I realize that, but what are the exploits and more importantly what is the fix? :)

The data is secured on the backend before querying DB, etc. So it's only XSS I'm worried about although I'm not sure if there is a potential for problems or not, other than cookie theft.

I'm guessing it's possible to

Code: Select all

javascript: alert(document.cookie)
But what good that would do, I don't know. It's not persisted so you would only ever get your own cookie information. Unless I'm missing something,which is what I am wondering. :)
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

XSS is powerless if you don't echo any of the GET data. Do you?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

I do exactly as I have shown in my first post, so yes I echo $_GET data into a URL for an IFRAME. How is this dangerous?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Your security banks on http_build_query() properly escaping everything. Nothing more, nothing less.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

What kind of exploit could be carries out though?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Whatever exploits the function lets through. If you're expecting a list, you're going to have to wait. I don't use the function.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Haha. Fair enough. I am curious to know what kind of exploit(s) could be executed by simplying echo'ing GPC variables to an IFRAME URL.

I assume it is similer to XSS exploits found in FORM action attributes and <?php echo $_SERVER['PHP_SELF'] ?>

The only time I am personally aware of issue (that I can think of anyways) is when data from a storage is echo'ed without escaping. But just outputting GPC data, would only allow an attacker to exploit his/her own session.

Any insight is appreciated :)
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

htmlspecialchars() would solve any XSS in the sense that you seem to be referring to.

However, there could be other XSS issues in what the page is actually capable of doing from the GET variables.

Hockey wrote:But just outputting GPC data, would only allow an attacker to exploit his/her own session.
... No, that's not true. That is why XSS is dangerous because all they need is a URL and a way to get people too visit the URL. Through a link.. Through a src attribute... Through a redirection... Anything can do it. As long as you trust GET requests, you're open to XSS. It's just a matter of how much damage it can do.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

superdezign wrote:htmlspecialchars() would solve any XSS in the sense that you seem to be referring to.

However, there could be other XSS issues in what the page is actually capable of doing from the GET variables.
Hockey wrote:But just outputting GPC data, would only allow an attacker to exploit his/her own session.
... No, that's not true. That is why XSS is dangerous because all they need is a URL and a way to get people too visit the URL. Through a link.. Through a src attribute... Through a redirection... Anything can do it. As long as you trust GET requests, you're open to XSS. It's just a matter of how much damage it can do.
Ok thats what was running through the back of my mind, but I"m still not clear on how an exploit can be executed. Can you elaborate?

Using my example (initial post) how can that be exploited?

If a user clicks on a link such as:

Code: Select all

<a href="domain.com?js=javascript: alert('document.cookie')">Happy Stuff</a>
For starters, I think the function I use doesn't even concern itself with anything before '?' only appending name=value pairs which would reproduce the URL as shown. Which I can't see as harmful because you cannot invoke JS unless the protocol is specified properly.

I am curious to see how this can be done, using unescaped GPC data.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Hockey wrote:If a user clicks on a link such as:

Code: Select all

<a href="domain.com?js=javascript: alert('document.cookie')">Happy Stuff</a>
But if a user clicks a link like this:

http://domain.tld/path/to/page.php?foo=<script>alert('I'm gonna steal your PHPSESSID cookie!');</script>

If you output $_GET['foo'] at any point, unfiltered, then you're open to XSS.
Post Reply