XSS exploit example?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

XSS exploit example?

Post by alex.barylski »

Particular the type two variety...URL injection style I guess.

As I understand it, href can be exploited inside an anchor like so:

Code: Select all

<a href="?idx=<?php echo $idx; ?>&key=<?php echo $key; ?>">This is a safe link click me</a>
The $idx variable has been secured having been cast to an integer somewhere in the system. The $key however is a plaintext string representing first or last names. Because of names like O'Brien we do not addslashes (this is done already in the model to prevent SQLi) and so the server side is secured, however this opens a potential hole on the client side (XSS2) - or so I believed.

By not escaping/htmlspecialchars the the $key and allowing characters like single quote it's possible an attacker might try to hault normal href sequence.

Code: Select all

$key = "O'Brien"; // Expected input

Code: Select all

<a href="?index=<?php echo $idx; ?>&<?php echo $key; ?>">Safe Url Click Me</a>
I have tried to change the URL to inject javascript, but have not been successful with the above url starting with '?'

The worst I can see happening is the attacker being able to add other GET name=value pairs which should have no ill-effect on my the client. As for getting any javascript to execute...nothing.

So I ask, can someone show me how XSS exploits occur if the href is prefixed with a '?'

I can see in situations like below causing potential problems:

Code: Select all

<a href="<?php echo $_SERVER['PHP_SELF'] ?>?idx=$idx">Potential Problems</a>
But once a expected character sets the tone for the URL I fail to see any exploits...so are URL's safe from XSS exploit if prefixed with a '?'

Cheers :)
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Post by arjan.top »

I hope I understood you :)


Example:

Code: Select all

$key = "\">Safe Url Click Me</a><script>alert('XSS')</script><a style=\"display:none\" href=\"hidden";
[/syntax]
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

I'm not sure if you understoond...

Where did the <script> tag come in??? :?
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Post by arjan.top »

I thought that $key if form input (Expected input), so what is it?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

EDIT: Ok thanks I got it figured out. Indeed XSS can be carried out even if the URL is prefixed with '?'...Cheers and thanks :D

Yes $key is unfiltered form data so it can be *anything* for the sake of this example.

Code: Select all

<a href="?index=<?php echo $idx; ?>&<?php echo $key; ?>">Safe Url Click Me</a> 
Given the above anchor...how would you inject an XSS attack?

Code: Select all

$key = "\">Safe Url Click Me</a><script>alert('XSS')</script>
Ok I"m starting to see how <script> could be injected into the output...I'll try it and be right back :)
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

This guy writes a lot about XSS, I'm sure there's a lot of good info there
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

You know, harmful links that are examples of XSS are probably ot going to be on your website, but on a malicious user's. As long as you filter and validate all user input and avoid printing any unfiltered input to the screen, you'll successfully evade XSS attacks.
Post Reply