Reputation: 7639
How to protect against this type of attack?
I had someone run a pentest against an application recently and one of the critical problems it found was when some garbage was passed in a URL like this:
http://example.com/index.php/
%27%3e%3c%69%4d%67%20%53%72%43%3d%78%20%4f%6e%45%72%52%6f%52%3d%61%6c%65%
72%74%28%34%37%34%31%32%29%3e
The problem is that the attacker simply adds a slash then some encoded javascript (an image tag with alert box), which kills the page. Simple and effective attack.
How do I code against it? I am already cleaning all expected user inputs (such as when a user passes index.php?id=<script>alert(1)</script>). That part works fine.
How do I protect against unexpected data quoted below the first paragraph above? (Also, is there a specific name for this type of XSS attack?)
Upvotes: 7
Views: 344
Answers (5)
Reputation: 2227
How do I protect against unexpected data quoted below the first paragraph above?
filter_input( INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
Thanks, for @Sverri M. Olsen
for expaining why to use filter_input instead of superglobals
https://stackoverflow.com/a/15103555/11173494
Also, is there a specific name for this type of XSS attack?
This is Stored XSS. The hacker could construct custom query to attack user by store malicious code.
@Sandeep Nair expained the difference between Stored XSS and Reflected XSS
https://stackoverflow.com/a/48893119/11173494
Upvotes: 1
Reputation: 86
strip_tags() function may help.
For example:
$str = 'index.php?id=<script>alert(1)</script>';
echo "<pre>";
echo strip_tags($str), "\n";
The above will output:
index.php?id=alert(1)
Upvotes: 0
Reputation: 89
The previous answers is already ok but for some reason htmlspecialchars() do not filter single quote. If you need to filter single quotes you will need to add a parameter in htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES)
Upvotes: 1
Reputation: 7639
I was using $_SERVER['PHP_SELF'] in an href tag, so that's where the JavaScript was triggered.
The solution is simple. I run PHP_SELF through a filter before using, and any passed garbage is cleaned and safe to use on the page.
Upvotes: 5
Reputation: 1361
Be carefull with the use of $_SERVER['PHP_SELF]
You should do htmlspecialchars($_SERVER["PHP_SELF"]); or htmlentities($_SERVER["PHP_SELF"]);
And that's a normal XSS attack.
More info: Info
Upvotes: 9
Related Questions
- PHP: How to totally prevent XSS attacks?
- Prevent XSS attacks
- New Way To Prevent XSS Attacks
- How to prevent <script>alert('xss vector');</script> kind of attacks?
- XSS attack prevention
- Protection against XSS exploits?
- Need to prevent XSS attacks?
- How to prevent XSS in my site?
- better way preventing xss attack
- easily preventing XSS or javascript related attack