homepage Welcome to WebmasterWorld Guest from 54.166.228.100
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / New To Web Development
Forum Library, Charter, Moderators: brotherhood of lan & mack

New To Web Development Forum

    
Sanitize URL to prevent XSS
URL cross scripting vulnerabilites - php
tazzy47




msg:3667072
 8:31 pm on Jun 4, 2008 (gmt 0)

Hi -- I'm a newbie, and need some help. Hope this is where I need to post this...

I 'fell' into this job about 6 months ago, and have been able to take care of most issues to this point. Received notice from Hacker Safe about Cross Scripting vulnerabilities. We have a search - it strips all html tags, so it's not a problem. The issue is sanitizing external input entered directly into address bar through external links, keyboard, etc. I know a little php and javascript -- I don't have a clue how or where I need to insert sanitizing code that will affect URL input.

We use Apache/Linux/php.

Any help is greatly appreciated! I would like to have some hair left by this time next week.

 

httpwebwitch




msg:3667341
 5:39 am on Jun 5, 2008 (gmt 0)

XSS happens when user-entered characters are allowed to be rendered on the page, sans validation.

for instance:
/search.php?q=scuba+gear
opens a search page, where you show scuba gear. In the <head> of your page, you might have something like this:
<title>Search results for <?php print($_GET['q']) ?></title>
and further down, a nice heading:
<h1>Search results for <?php print($_GET['q']) ?></h1>

Now what if I were to request this URL?

/search.php?q=%3C%2Fh1%3E%3Cscript%3Ealert(document.cookies)%3B%3C%2Fscript%3E

the query, urldecoded, is this:
</h1><script>alert(document.cookies);</script>

rendered on the page, it ends your </h1> and executes a script. That script can do pretty much anything it wants. Combined with a little phishing, this can be a really dangerous vulnerability. Remember all it takes is one hole like that, and a kiddie can inject about 2K of pure malice via the URL.


In addition to XSS, you may also need to be concerned about SQL injection. The two are different. XSS plants executable JS code on the client, whereas SQL injection tries to manipulate SQL operations on the server using ununsual user input. XSS and SQL injection are often mentioned together, since they're both easy to perpetrate by script kiddies [en.wikipedia.org], and often overlooked by beginner programmers.

For instance, take this URL:
/getuserinfo.php?userid=50
as you'd expect, will get info about user #50.

A careless coder would do this:
$query = "SELECT * FROM users WHERE id=".$_GET['userid'];

and end up with a SQL query:
SELECT * FROM users WHERE id=50

Pop quiz.
What would this URL do?

/getuserinfo.php?userid=50;DROP%20TABLE%20users

nothing good, that's what!

rocknbil




msg:3667665
 3:52 pm on Jun 5, 2008 (gmt 0)

^ ^ Shudder. :-)

Welcome aboard tazzy47!

One of the first things you do is quote everything in your selects. This is NOT a cure-all, it's one tool:

$select = "select * from table where id='$_GET['userid']';";

Yes, even numeric fields, although it's "implied" that quoting means you're searching on text, this is one way to start securing your selects. Many injections can be thwarted this way.

Second, as mentioned, is you should cleanse those GET vars and never put them directly in the selects.

Injection Wiki [en.wikipedia.org], and you'll find many more searching for SQL injection.

tazzy47




msg:3667919
 8:20 pm on Jun 5, 2008 (gmt 0)

Thank you httpwebwitch and rocknbil... I appreciate your help. And thanks for the welcome...

The guy I 'inherited' the job from had most of it pretty well covered (I think). We have php, phtml, and html pages throughout, and only the html pages are affected. In talking with McAffee, external sources can use .>"< ... alert ... "< in the browser address bar after the html, generating a javascript alert window. Does not work on phtml or php pages. Suggestions? I know user input needs to be sanitized/validated, but I don't know how to strip the html markup from external links. Will the above snippet not work with phtml extension? We have over 700 html product pages... New product pages are generated dynamically, and the site is so huge I still have trouble finding things. And, "webnut" is only one of my designated jobs (webmaster quit, boss knew I'd taken a couple years of programming classes)

Again, thanks for all the help. I'm about to suggest we hire this fix out. Didn't get as far as php security in those 2 yrs of programming classes.

httpwebwitch




msg:3668000
 10:24 pm on Jun 5, 2008 (gmt 0)

Just don't render any parts of the URL on the page. And if you do, pasteurize it first using htmlentities() [php.net].

For instance, a URL like
/example.php?title=Welcome%20to%my%site
is highly suspect. If I see one of those, the next thing I try is:
/example.php?title=It%20hurts%20when%20I%20pee
then
/example.php?title=%3Cscript%3Ealert('zzft')%3C%2Fscript%3E

you should never do this:
<?php print($_GET['variable_name']); ?>

Though honestly, someone injecting XSS on their own session is usually harmless. They might mess around with their own account, or hijack global Javascript objects. If the site is really badly architected, they may be able to access an unsecured API - who knows? it depends on the site. Serious security breaches happen when you allow users to enter text which will eventually be shown to another user.

Sort of like this reply.

If WebmasterWorld didn't pasteurize all posts before rendering them on the page, I'd have your cookies, hijack your session and be reading your mail by now.
Not that I would actually do that.
It was just an example.

tazzy47




msg:3668653
 5:16 pm on Jun 6, 2008 (gmt 0)

Thank you! I really appreciate your help. I'll check out htmlentities today!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / New To Web Development
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved