How to fix Cross site scripting or XSS

Asked

Viewed 1,270 times

5

I’m studying about some vulnerabilities I found on a site I did and I came across the possibility of the attacker sending malicious code, so I read and so my question here, I just need to fix my script with code similar to this:

Application with vulnerability:

$busca= $_GET[“busca”];

Vulnerability-free application:

$busca= htmlspecialchars ($_GET[“busca”]);

Only with this change is it possible to eliminate the possibility of attack via Cross site scripting or XSS?

  • First of all, who told you that this app has no vulnerability ?

  • Hello @Edilson, as I said in the question, in the researches I did, one of the sites I arrived was this: http://analyste.blogspot.com.br/2009/11/cross-site-scripting-ou-xss.html. .

  • htmlspecialchars does not escape simple quotes ', and js online, those in style dom level 0 are ignored.

  • If I have time, and if I continue in response, I will give you a reply with a few examples where htmlespecialchars let js is injected, even if reduced.

  • All help is always welcome @Edilson, thank you.

  • 1

    You must use it ENT_QUOTES and use the UTF-8, in both parameters. In the end you will have something like htmlspecialchars($texto, ENT_QUOTES, 'UTF-8'), another detail is whether to do this before (save to the database already with htmlspecialchars) or whether to save "normal" and use it in the after in the view. The second says it is better, because it prevents a string from being "broken" by the bank boundary. For curiosity the first method is used by Wordpress, which uses up to MD5 and supports up to PHP 5.2, ie is not a security reference.

  • You can sanctify $_GET, $value = filter_var($_GET["search"], FILTER_SANITIZE_STRING);

Show 2 more comments

4 answers

5


Good afternoon,

The use of htmlspecialchars will not solve sophisticated XSS attacks. I advise using this Anti-xss class which is more specific:

<?php

class AntiXSS {
    public static $err = "XSS Detected!";

    /*
     * @function   : setEncoding
     * @return     : String
     * @parameters : str: Content you want to change the character encoding
     *               newEncoding: Character encoding you want set
     * @description: Convert the character encoding of the string
     *               to newEncoding from currentEncoding. currentEncoding
     *               detecting by function so you only need give str and
     *               newEncoding to the setEncoding function.
     */
    public static function setEncoding($str, $newEncoding) {
        $encodingList = mb_list_encodings();
        $currentEncoding = mb_detect_encoding($str, $encodingList);
        $changeEncoding = mb_convert_encoding($str, $newEncoding, $currentEncoding);

        return $changeEncoding;
    }

    /*
     * @function   : blacklistFilter
     * @return     : String
     * @parameters : str: Content you want to filter with blacklist
     * @description: Filter the content by blacklist method. Library use
     *               RSnake's XSS attack vectors. To add new attack vectors
     *               I'm continue to research.
     */
    public static function blacklistFilter($str) {
        if (preg_match("/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t(.*)>(.*)/i", $str) > 0) {
            return $str;
        } else {
            return self::$err;
        }
    }

    /*
     * @function   : whitelistFilter
     * @return     : String
     * @parameters : str: Content you want to filter with blacklist
     *               whiteFilterPattern: Some patterns for filter the
     *               data types.
     * @description: Filter the content by whitelist method. To add
     *               new data types, I'm continue to research.
     */
    public static function whitelistFilter($str, $whiteFilterPattern) {

        switch ($whiteFilterPattern) {
            case "string":
                $pattern = "([a-zA-Z]+)";
            break;
            case "number":
                $pattern = "([0-9]+)";
            break;
            case "everything":
                $pattern = "(.*)";
            break;
            default:
                $pattern = "([0-9a-zA-Z]+)";
            break;
        }

        if(preg_match("/^$pattern $/i", $str) > 0) {
            return $str;
        } else {
            return self::$err;
        }
    }

    /*
     * @function   : setFilter
     * @return     : String
     * @parameters : str: Content you want to filter with blacklist
     *               filterMethod: Library have 3 method.
     *                  -Black Method
     *                  -White Method
     *                  -Gray Method
     *               filterPattern: Some patterns for filter the
     *               data types. (You can only use with whitelist filter)
     *               noHTMLTag: Use PHP's strip_tags function to
     *               remove HTML tags from content.
     * @description: Filter the content by method.
     */
    public static function setFilter($str, $filterMethod, $filterPattern = NULL, $noHTMLTag = NULL) {

        if (urldecode($str) > 0) {
            $str = urldecode($str);
        }

        if ($noHTMLTag == 1) {
            $str = strip_tags($str);
        }

        $str = strtolower($str);
        $str = addslashes($str);
    $str = htmlspecialchars(trim($str));

        switch($filterMethod) {
            case "black":
                $str = self::blacklistFilter($str);
            break;
            case "white":
                $str = self::whitelistFilter($str, $filterPattern);
            break;
            default:
            break;
        }

        return $str;
    }
}
?>

I hope I’ve helped.

2

Just remove certain characters, for example <, >, &, ', ", / Create some type of filter, from to use regex to make this filter.

$xss = /[&<>"'*]/;

Take a look at w3school on how to use regex https://www.w3schools.com/php/php_regex.asp

in the example below has a solution using javascript, I used this code in React (frontend), the filter was performed as soon as the user typed something, just do not forget to put the filter in the backend also

export const htmlPurify = (value = '') => {
  const regex = /[!@#$%^&<>"'¨¨*]/;
  return value.replace(regex, '');
};

1

You have an option not as sophisticated as P1xm4, but an alternative is also filter_var:

$busca= htmlspecialchars ($_GET[“busca”]);
$strBusca = filter_var($busca,FILTER_SANITIZE_NUMBER_STRING);

-6

Just block special characters from being interpreted in the browser.

Some of them are < > ' ", etc.

  • 5

    This has not the slightest foundation, ironic use a name that suggests to have relationship with security. It would be good to study what the site is (and at least read the statement) before responding. Here are some links that can help: What is the Stack Overflow, [Answer]

  • I show you one of my systems and with this protection, and I want to see you make an XSS of the most harmless kind. You probably won’t even answer, but the challenge is done =)

  • you are talking to anyone who has received several bug Bounty by XSS, and not a forum enthusiast as you should be used to.

  • 1

    The problem here is that the site requires answers to what was asked. About what you know or not, here is no place to discuss (and I don’t care, especially considering that you don’t seem to know what the question is about). I am removing the comments unrelated to the subject of the question and I will remove this one soon. A read on [Swer] may help in the next answers (and [Dit] this one if you want to correct)

Browser other questions tagged

You are not signed in. Login or sign up in order to post.