954,597 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
1 Year Ago
0

Help - XSS vulnerability

Hello folks,


In short, this code is vulnerable:

<div class="search">
        <form action="/search" method="get" name="header_search">
            <label>{l t='Search Business'} <input name="searchtext" type="text" id="searchtext" placeholder="{l t='e.g.Marriott'}" /></label>
            <label>{l t='City'} <input name="cityname" type="text" id="Hsearchcity" autocomplete="off" placeholder="{l t='All Cities'}" class="commentColor cityname"/>
            </label>
             
            <a onclick="header_search.submit()" href="javascript:void(0)">{l t='Search'}</a>
        </form>
    </div>

I have been trying to implement unhtmlentities(), or htmlspecialchars() functions with no success, how can it be done please ??

El Duke
Junior Poster in Training
77 posts since Apr 2008
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0
I have been trying to implement unhtmlentities(), or htmlspecialchars() functions with no success, how can it be done please ??


What is the definition of with no success? You need to be explicit here!

evstevemd
Senior Poster
3,713 posts since Jun 2007
Reputation Points: 462
Solved Threads: 392
 
1 Year Ago
0

It is either I Implemented it in the wrong way, OR, it gave no results.

My implementation was lacking the variable that takes the searchtext, or is it the $searchtext itself ??

El Duke
Junior Poster in Training
77 posts since Apr 2008
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

Or to be precise, how to implement the mentioned functions in my code ?

El Duke
Junior Poster in Training
77 posts since Apr 2008
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

what are you trying to do?

evstevemd
Senior Poster
3,713 posts since Jun 2007
Reputation Points: 462
Solved Threads: 392
 
1 Year Ago
0

Prevent XSS, in other words, Sanitize Tags ( <, >, ", etc...)

El Duke
Junior Poster in Training
77 posts since Apr 2008
Reputation Points: 10
Solved Threads: 0
 
evstevemd
Senior Poster
3,713 posts since Jun 2007
Reputation Points: 462
Solved Threads: 392
 
1 Year Ago
0

I read that before, but how to use it in the context of my code ? what's the variable that will be sanitized ?

El Duke
Junior Poster in Training
77 posts since Apr 2008
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

You don't show your data handling code, only the input form. The sanitizing occurs with the validating of the $_GET vars.

diafol
Rhod Gilbert Fan (ardav)
Moderator
7,796 posts since Oct 2006
Reputation Points: 1,170
Solved Threads: 1,080
 
1 Year Ago
0

Thanks ardav, things have become easier now, yet, here is my code:

if($_POST['type']=='biz')
{
					
	$keyword = $_POST['biz'];
	//NEWLY ADDED
	$keyword= filter_var($keyword, FILTER_SANITIZE_URL, FILTER_FLAG_STRIP_LOW);
	$keyword= filter_var($keyword, FILTER_SANITIZE_URL, FILTER_FLAG_STRIP_HIGH);
	$keyword= filter_var($keyword, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_STRIP_HIGH);
	$keyword= filter_var($keyword, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_STRIP_LOW);
	//ADD END
	$keyword = addslashes(str_replace("||sp_rp_and||", "&", $keyword));
	if($keyword=="")
	$query="select * from `business` order by business_id DESC LIMIT 0,20";
	else
	$query="select * from `business` where business_name like '%".$keyword."%' ORDER BY business_name asc limit 0,20";
	
	$rc=mysql_query($query);
	$i=0;
	while($row = mysql_fetch_array($rc))
	{
		$array[$row['business_id']]=$row;
	}
	if(!$array) exit;
	
	
		$str="<ul>";
		foreach($array as $business_id => $row)
		{
			$showName=preg_replace("/(".$keyword.")/i","<abbr>$1</abbr>",$row['business_name']);
			
			$str.="<li onClick=\"fillBiz('".$business_id."','".addslashes($row['business_name'])."','".addslashes($row['permalink'])."')\">".$showName."</li>";
		}
		$str.= "</ul>";
		
	echo $str;
}


Am I close ?

El Duke
Junior Poster in Training
77 posts since Apr 2008
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

Don't sanitize verything. If the field is EMAIL sanitize it as EMAIL filter.
You have to know the type expected!
For your case $keyword= filter_var($keyword, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_STRIP_LOW); seems to be the right. If you put into my sql don't forget to escape it using mysql_real_escape_string()

evstevemd
Senior Poster
3,713 posts since Jun 2007
Reputation Points: 462
Solved Threads: 392
 
1 Year Ago
0

Thanks,
I don't expect the user to enter anything but names and numbers, so I guess no harm with filtering.

But that doesn't seem to work anyway, I still get XSS upon entering a script in the keyword field, tried str_replace() as well, and it doesn't work, this is confusing!

El Duke
Junior Poster in Training
77 posts since Apr 2008
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

ok, try reading this Link

evstevemd
Senior Poster
3,713 posts since Jun 2007
Reputation Points: 462
Solved Threads: 392
 
1 Year Ago
0

Thanks, I don't expect the user to enter anything but names and numbers, so I guess no harm with filtering.

But that doesn't seem to work anyway, I still get XSS upon entering a script in the keyword field, tried str_replace() as well, and it doesn't work, this is confusing!


What is your current code and how do you test it?

evstevemd
Senior Poster
3,713 posts since Jun 2007
Reputation Points: 462
Solved Threads: 392
 
1 Year Ago
0

I test it by inserting the following in the search field / or url:

"><script>alert(document.cookie);</script>"


and I receive the pop-up showing the cookie info.


I tried working on mod_security level but didn't work as well ( didn't validate the input)

El Duke
Junior Poster in Training
77 posts since Apr 2008
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

OK I see, it's what the DB is spitting out that's causing the problem. Why not use htmlentities() on input? This should only kill off html (script) - should be none of that in your input fields right?

You don't need to html_decode_entity() to output as no html should be included.


I use mysql_real_escape_string() to stop SQL injection and htmlentities to avoid xss.

diafol
Rhod Gilbert Fan (ardav)
Moderator
7,796 posts since Oct 2006
Reputation Points: 1,170
Solved Threads: 1,080
 
1 Year Ago
0

OK I see, it's what the DB is spitting out that's causing the problem. Why not use htmlentities() on input? This should only kill off html (script) - should be none of that in your input fields right?

You don't need to html_decode_entity() to output as no html should be included.

I use mysql_real_escape_string() to stop SQL injection and htmlentities to avoid xss.

Tried htmlentities() on every possible input, nothing but the bloody pop-up after testing.

Nothing is working, this is frustrating !!

El Duke
Junior Poster in Training
77 posts since Apr 2008
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0
$input = mysql_real_escape_string(htmlentities($var));


Doesn't work?

diafol
Rhod Gilbert Fan (ardav)
Moderator
7,796 posts since Oct 2006
Reputation Points: 1,170
Solved Threads: 1,080
 
1 Year Ago
0

Here is the combination:

$keyword = $_POST['biz'];
	$keyword = mysql_real_escape_string(htmlentities($keyword)); //this


or

$keyword = $_POST['biz'];
	$keyword = htmlentities($keyword, ENT_QUOTES); //this


Doesn't do anything.

El Duke
Junior Poster in Training
77 posts since Apr 2008
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

put your full code!

evstevemd
Senior Poster
3,713 posts since Jun 2007
Reputation Points: 462
Solved Threads: 392
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
 
View similar articles that have also been tagged:
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed