Page 1 of 1
XSS prevention
Posted: Tue Aug 14, 2007 5:49 pm
by alex.barylski
I need to propagate GET parameters from one script to another via an IFRAME:
Code: Select all
<iframe src="domain.com?<?php echo http_build_query($_GET); ?>" />
Are there any potential exploits? What can I do to prevent this?
Posted: Tue Aug 14, 2007 5:51 pm
by superdezign
Treat GET data the same way that you always would. It's no more or less secure than any other GET request.
Posted: Tue Aug 14, 2007 6:01 pm
by alex.barylski
I realize that, but what are the exploits and more importantly what is the fix?
The data is secured on the backend before querying DB, etc. So it's only XSS I'm worried about although I'm not sure if there is a potential for problems or not, other than cookie theft.
I'm guessing it's possible to
Code: Select all
javascript: alert(document.cookie)
But what good that would do, I don't know. It's not persisted so you would only ever get your own cookie information. Unless I'm missing something,which is what I am wondering.

Posted: Tue Aug 14, 2007 6:32 pm
by superdezign
XSS is powerless if you don't echo any of the GET data. Do you?
Posted: Tue Aug 14, 2007 8:41 pm
by alex.barylski
I do exactly as I have shown in my first post, so yes I echo $_GET data into a URL for an IFRAME. How is this dangerous?
Posted: Tue Aug 14, 2007 9:44 pm
by feyd
Your security banks on
http_build_query() properly escaping everything. Nothing more, nothing less.
Posted: Wed Aug 15, 2007 12:17 pm
by alex.barylski
What kind of exploit could be carries out though?
Posted: Wed Aug 15, 2007 3:34 pm
by feyd
Whatever exploits the function lets through. If you're expecting a list, you're going to have to wait. I don't use the function.
Posted: Wed Aug 15, 2007 5:07 pm
by alex.barylski
Haha. Fair enough. I am curious to know what kind of exploit(s) could be executed by simplying echo'ing GPC variables to an IFRAME URL.
I assume it is similer to XSS exploits found in FORM action attributes and
<?php echo $_SERVER['PHP_SELF'] ?>
The only time I am personally aware of issue (that I can think of anyways) is when data from a storage is echo'ed without escaping. But just outputting GPC data, would only allow an attacker to exploit his/her own session.
Any insight is appreciated

Posted: Wed Aug 15, 2007 5:15 pm
by superdezign
htmlspecialchars() would solve any XSS in the sense that you seem to be referring to.
However, there could be other XSS issues in what the page is actually capable of doing from the GET variables.
Hockey wrote:But just outputting GPC data, would only allow an attacker to exploit his/her own session.
... No, that's not true. That is why XSS is dangerous because all they need is a URL and a way to get people too visit the URL. Through a link.. Through a src attribute... Through a redirection... Anything can do it. As long as you trust GET requests, you're open to XSS. It's just a matter of how much damage it can do.
Posted: Wed Aug 15, 2007 5:28 pm
by alex.barylski
superdezign wrote:htmlspecialchars() would solve any XSS in the sense that you seem to be referring to.
However, there could be other XSS issues in what the page is actually capable of doing from the GET variables.
Hockey wrote:But just outputting GPC data, would only allow an attacker to exploit his/her own session.
... No, that's not true. That is why XSS is dangerous because all they need is a URL and a way to get people too visit the URL. Through a link.. Through a src attribute... Through a redirection... Anything can do it. As long as you trust GET requests, you're open to XSS. It's just a matter of how much damage it can do.
Ok thats what was running through the back of my mind, but I"m still not clear on how an exploit can be executed. Can you elaborate?
Using my example (initial post) how
can that be exploited?
If a user clicks on a link such as:
Code: Select all
<a href="domain.com?js=javascript: alert('document.cookie')">Happy Stuff</a>
For starters, I think the function I use doesn't even concern itself with anything before '?' only appending name=value pairs which would reproduce the URL as shown. Which I can't see as harmful because you cannot invoke JS unless the protocol is specified properly.
I am curious to see how this can be done, using unescaped GPC data.
Posted: Wed Aug 15, 2007 6:07 pm
by superdezign
Hockey wrote:If a user clicks on a link such as:
Code: Select all
<a href="domain.com?js=javascript: alert('document.cookie')">Happy Stuff</a>
But if a user clicks a link like this:
http://domain.tld/path/to/page.php?foo=<script>alert('I'm gonna steal your PHPSESSID cookie!');</script>
If you output $_GET['foo'] at any point, unfiltered, then you're open to XSS.