Jump to content
Nytro

A XSS Vulnerability in Almost Every PHP Form I’ve Ever Written

Recommended Posts

Posted

[h=2]A XSS Vulnerability in Almost Every PHP Form I’ve Ever Written[/h]

I've spent a lot of time over the past few months writing an enterprise application in PHP. Despite what some people may say, I believe that PHP is as secure or insecure as the developer who is writing the code. Anyway, I'm at the point in my development lifecycle where I decided that it was ready to run an application vulnerability scanner against it. What I found was interesting and I think it's worth sharing with you all.

Let me preface this by saying that I'm the guy who gives the training to our developers on the OWASP Top 10, writing secure code, etc. I'd like to think that I have a pretty good handle on programming best practices, input validation, and HTML encoding. I built all kinds of validation into this application and thought that the vulnerability scan would come up empty. For the most part I was right, but there was one vulnerability, one flaw in particular, that found it's way into every form in my application. In fact, I realized that I've made this exact same mistake in almost every PHP form that I've ever written. Talk about a humbling experience.

So here's what happened. I created a simple page with a form where the results of that form are submitted back to the page itself for processing. Let's assume it looks something like this:

<html>
<body>
<?php
if (isset($_REQUEST['submitted']) && $_REQUEST['submitted'] == '1') {
echo "Form submitted!";
}
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>">
<input type="hidden" name="submitted" value="1" />
<input type="submit" value="Submit!" />
</form>
</body>
</html>

It looks fairly straightforward, right? The problem has to do with that $_SERVER['PHP_SELF'] variable. The intent here is that PHP will display the path and name of the current page so that the form knows to submit back to the same page. The problem is that $_SERVER['PHP_SELF'] can actually be manipulated by the user. Let's say as the user I change the URL from

http://www.webadminblog.com/example.php to  http://www.webadminblog.com/example.php"><script>alert('xss');</script>

This will end the form action part of the code and inject a javascript alert into the page. This is the very definition of cross site scripting. I can't believe that with as long as I've been writing in PHP and as long as I've been studying application security, I've never realized this. Fortunately, there are a couple of different ways to fix this. First, you could use the HTML entities or HTML special character functions to sanitize the user input like this:

htmlentities($_SERVER['PHP_SELF]);

htmlspecialchars($_SERVER['PHP_SELF]);

This fix would still allow the user to manipulate the URL, and thus, what is displayed on the page, but it would render the javascript invalid. The second way to fix this is to use the script name variable instead like this:

$_SERVER['SCRIPT_NAME'];

This fix would just echo the full path and filename of the current file. Yes, there are other ways to fix this. Yes, my code example above for the XSS exploit doesn't do anything other than display a javascript alert. I just wanted to draw attention to this issue because if it's found it's way into my code, then perhaps it's found it's way into yours as well. Happy coding!

Sursa: A XSS Vulnerability in Almost Every PHP Form I’ve Ever Written | Web Admin Blog

Nota: Nu pare sa mearga din motive evicente:

The requested URL /test.php"><script>alert(1)</script> was not found on this server.

Voua va merge?

Posted

Nu vad cum ar putea merge.


GET /example.php"><script>alert('xss');</script>

Asta inseamna


GET /example.php%22%3E%3Cscript%3Ealert('xss');%3C/script%3E

Va returna intotdeauna 404. Cel mai probabil functioneaza doar in conditia asta, desi eu cred ca intotdeuna va returna 404.


<form action="<?php echo $_SERVER['PHP_SELF']; ?>">

Posted

Si eu cred ca este imposibil sa mearga fara parametru. Odata ce punem codul js dupa .php, browserul nostru va cauta defapt un fisier "fizic" cu numele "*.php+cod js" si apoi va afisa ca nu il gaseste :) din motive evidente.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...