XSS Guide - 4th Part - How To fix a XSS vulnerability
-------------------------------
Author: Langy
Data: 19-02-2008
Copyright: http://www.googlebig.com
-------------------------------
Links:
http://www.gnucitizen.org/xssdb/application.htm (Attack Database)
http://www.xssed.com (Mirror Archive of Vulnerable Websites)
http://ha.ckers.org/xss.html (XSS Cheat sheet)
http://software.graflex.org/dexss/ (Removing JavaScript from HTML)
http://en.wikipedia.org/wiki/Cross-site_scripting
http://it.php.net/htmlentities
http://it2.php.net/htmlspecialchars
http://it2.php.net/strip_tags
-------------------------------
For fix the problem of cross site injection we have to use one of the 3 functions php.
These functions clean up the HTML tags, so is not possible inject into the code.
The function more used is htmlspecialchars() that transmutes all the characters "<" and ">" into "<" and ">".
Another option is htmlentities(), which replaces all the characters in the corresponding entities.
<?
// This page shows an example
// of the differences in output between 2 functions
$input = '<script>alert(1);</script>';
echo htmlspecialchars($input) . '<br />';
echo htmlentities($input);
?>
An example of htmlentities()
<?php
$str = "A 'quote' is <b>bold</b>";
echo htmlentities($str);
echo htmlentities($str, ENT_QUOTES);
?>
The first show --> A 'quote' is <b>bold</b>
The second --> A 'quote' is <b>bold</b>
An example of htmlspecialchars()
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new;
?>
This show --> <a href='test'>Test</a>
The funztion strip_tags(), instead, deletes all HTML elements, except certain elements that need to specify permitted such as <i>, <b> or <p>.
An example of strip_tags()
<?php
$text = '<p>Test paragraph.</p><!-- Comment --> Other text';
echo strip_tags($text);
echo "\n";
// allow <p>
echo strip_tags($text, '<p>');
?>
Now that we know at least that there are these functions, we will to apply into the code when we find a xss in our web application.
I have recently found a xss on my website in Video section of GoogleBig which is a plugin of Mybb forum, I have placed a piece of code to make the idea of how I had to apply the function to fix the search bug.
First of all I have found the php page in question: search.php
Now let's look for the portion of code that makes available research, query and output the result of the query:
function search($query, $page)
{
global $db, $bgcolor2, $bgcolor4, $sitename, $io_db, $module_url, $list_page_items, $hm_index;
$option = trim($option);
$query = trim($query);
$query = FixQuotes(nl2br(filter_text($query)));
$db->escape_string($query);
$db->escape_string($option);
alpha_search($query);
...
In this case the variable that passes the values is $query then we apply the function htmlentities():
$query = FixQuotes(nl2br(filter_text(htmlentities($query))));
If you have problems you can post here, or consult the manuals on these 3 php functions that we saw:
http://it.php.net/htmlentities
http://it2.php.net/htmlspecialchars
http://it2.php.net/strip_tags
The following guide can be used freely on any site without changes including copyright.
Versione italiana: http://www.googlebig.com/forum/guida-xss...t-177.html
