CODEWITHSUNDEEP
securitymagentoxssmagento-1.9
Dipak Patil
Dipak Patil

Reputation: 31

How to prevent xss in magento

I am trying from last 5-8 hours not getting solution for xss prevent in magento,

I have already installed all latest patch in my magento.

I am using this script in catalog search input box

 "><img src=x onerror=prompt(1);>

and i am getting this output :-

xss result

enter image description here

I have also tried with some validation like htmlEscape , strip_tags but none of working for me.

Can someone please help me ?

Upvotes: 1

Views: 3671

Answers (1)

inrsaurabh
inrsaurabh

Reputation: 692

I Made many themes in magneto 1.9 , and tested many xss scripts but script is not triggered.

 1. <script>alert('hello')</script> even 
 2. In url www.yourwebsite.com?query=<script>alert('hello')</script> or
 3. <img src=x onerror="alert('Pop-up window XSS infected');" in search box but every string is by default escaped by Magneto itself.

This can be happen if you made your own custom search and didn't followed magento standard to pass the data to controllers and back to fronted.

You can use value="<?php echo $this->htmlEscape(input_values_here) ?>"

Example: credit Magento Xss Prevention

<li class="wide">
    <label for="street_1" class="required"><em>*</em><?php echo $this->__('Street Address') ?></label>
    <div class="input-box">
        <input type="text" name="street[]" value="<?php echo $this->htmlEscape($this->getAddress()->getStreet(1)) ?>" title="<?php echo $this->__('Street Address') ?>" id="street_1" class="input-text required-entry" />
    </div>
</li>

JUst for knowledge :

You can learn more about xss from XSS Tutorial

You can even check is there any message from Magento in your admin panel or any patches .

Perform these basic tests on your application:

  1. Interact with your custom form/search box. Insert strings that contain HTML and JavaScript match characters into all application inputs, such as forms, URL parameters, hidden fields(!), or cookie values.
  2. If your form doesn't correctly escape this string, you will see an alert and will know that something went wrong.
  3. Wherever your custom form handles user-supplied URLs, enter javascript:alert(0) or data:text/html,alert(0). Create a test user profile with data similar to the test strings above. Use that profile to interact with your application. This can help identify stored XSS bugs.

Upvotes: 1

Related Questions