|Sanitize URL to prevent XSS|
URL cross scripting vulnerabilites - php
| 8:31 pm on Jun 4, 2008 (gmt 0)|
Hi -- I'm a newbie, and need some help. Hope this is where I need to post this...
We use Apache/Linux/php.
Any help is greatly appreciated! I would like to have some hair left by this time next week.
| 5:39 am on Jun 5, 2008 (gmt 0)|
XSS happens when user-entered characters are allowed to be rendered on the page, sans validation.
opens a search page, where you show scuba gear. In the <head> of your page, you might have something like this:
and further down, a nice heading:
<title>Search results for <?php print($_GET['q']) ?></title>
<h1>Search results for <?php print($_GET['q']) ?></h1>
Now what if I were to request this URL?
the query, urldecoded, is this:
rendered on the page, it ends your </h1> and executes a script. That script can do pretty much anything it wants. Combined with a little phishing, this can be a really dangerous vulnerability. Remember all it takes is one hole like that, and a kiddie can inject about 2K of pure malice via the URL.
In addition to XSS, you may also need to be concerned about SQL injection. The two are different. XSS plants executable JS code on the client, whereas SQL injection tries to manipulate SQL operations on the server using ununsual user input. XSS and SQL injection are often mentioned together, since they're both easy to perpetrate by script kiddies [en.wikipedia.org], and often overlooked by beginner programmers.
For instance, take this URL:
as you'd expect, will get info about user #50.
A careless coder would do this:
$query = "SELECT * FROM users WHERE id=".$_GET['userid'];
and end up with a SQL query:
SELECT * FROM users WHERE id=50
What would this URL do?
nothing good, that's what!
| 3:52 pm on Jun 5, 2008 (gmt 0)|
^ ^ Shudder. :-)
Welcome aboard tazzy47!
One of the first things you do is quote everything in your selects. This is NOT a cure-all, it's one tool:
$select = "select * from table where id='$_GET['userid']';";
Yes, even numeric fields, although it's "implied" that quoting means you're searching on text, this is one way to start securing your selects. Many injections can be thwarted this way.
Second, as mentioned, is you should cleanse those GET vars and never put them directly in the selects.
Injection Wiki [en.wikipedia.org], and you'll find many more searching for SQL injection.
| 8:20 pm on Jun 5, 2008 (gmt 0)|
Thank you httpwebwitch and rocknbil... I appreciate your help. And thanks for the welcome...
Again, thanks for all the help. I'm about to suggest we hire this fix out. Didn't get as far as php security in those 2 yrs of programming classes.
| 10:24 pm on Jun 5, 2008 (gmt 0)|
Just don't render any parts of the URL on the page. And if you do, pasteurize it first using htmlentities() [php.net].
For instance, a URL like
is highly suspect. If I see one of those, the next thing I try is:
you should never do this:
<?php print($_GET['variable_name']); ?>
Sort of like this reply.
If WebmasterWorld didn't pasteurize all posts before rendering them on the page, I'd have your cookies, hijack your session and be reading your mail by now.
Not that I would actually do that.
It was just an example.
| 5:16 pm on Jun 6, 2008 (gmt 0)|
Thank you! I really appreciate your help. I'll check out htmlentities today!