Reputation: 1425
PHP XSS question - Is a GET parameter that outputs nothing on the page at risk?
Ok so I just wanted to know, is this necessarily a XSS vulnerability, as it does not output the results as such?
For example:
if($_GET['doRedirect'] == "yes") {
//redirect Page
} else {
//dont redirect page
}
then
http://example.com?doRedirect=yes
I have read up on all of the XSS stuff and thought I had a good understanding of it, although now im slightly confused. Is XSS only possible if the user input is then output on the page?
Many thanks :)
Upvotes: 0
Views: 816
Answers (2)
Reputation: 50858
That should be safe.
Cross site scripting can only occur if you actually output something user-generated on your page.
An example of this would be if you took in a user's name as the get parameter name and did the following:
<?php
echo "Hello, {$_GET['name']}. How are you today?";
?>
In this case, if someone set the name-parameter to <script>alert('Hello, There!');</script>, they've suddenly got some JavaScript running on an URL hosted on your domain.
Granted, that example is pretty benign, but the fact that they could run that code means they could run any code they wished. They could, for instance, add a script that logged the usernames and passwords of all users that logged in through that URL. Your site would appear genuine, but they would have access to things they shouldn't have.
If you're confused about, or interested in learning more about cross site scripting, take a look at these questions:
- What is the general concept behind XSS?
- What is the way(best practice) to deal with XSS?
- How does XSS work?
- What are the best practices for avoiding xss attacks in a PHP site
Upvotes: 3
Reputation: 13690
Assuming that you only use the doRedirect input parameter in that if statement and nothing else then it is not vunerable.
If you were to do something like this, then yes it would be vulnerable:
if($_GET['doRedirect'] == "yes")
{
//redirect Page
}
else
{
//dont redirect page
// Create message to display in the browser
$messageToUser = 'You selected '.$_GET['doRedirect'].' for your redirection';
}
In this case you should perform validation on the input.
Upvotes: 2
Related Questions
- concerns about xss attacks in url $_GET submissions
- PHP Security - GET Variables, URL safe?
- Is echoing a $_GET parameter a website security vulnerability?
- PHP safe $_GET or not
- How to avoid XSS Attack or Sanitize the $_GET's KEY parameter via PHP
- Is it a bad practice to use a GET parameter (in URL) with no value?
- Is it unsecure to use $_GET to update the data from database?
- $_GET['user'] security vulnerability in PHP
- Should I still escape? $_GET and XSS, SQL Injection and other PHP Security Concerns
- simple PHP $_GET sanitization question