Home » Php » javascript – How to protect against this type of attack?

javascript – How to protect against this type of attack?

Posted by: admin July 12, 2020 Leave a comment

Questions:

I had someone run a pentest against an application recently and one of the critical problems it found was when some garbage was passed in a URL like this:

http://example.com/index.php/
%27%3e%3c%69%4d%67%20%53%72%43%3d%78%20%4f%6e%45%72%52%6f%52%3d%61%6c%65%
72%74%28%34%37%34%31%32%29%3e

The problem is that the attacker simply adds a slash then some encoded javascript (an image tag with alert box), which kills the page. Simple and effective attack.

How do I code against it? I am already cleaning all expected user inputs (such as when a user passes index.php?id=<script>alert(1)</script>). That part works fine.

How do I protect against unexpected data quoted below the first paragraph above? (Also, is there a specific name for this type of XSS attack?)

How to&Answers:

Be carefull with the use of $_SERVER['PHP_SELF]

You should do htmlspecialchars($_SERVER["PHP_SELF"]); or htmlentities($_SERVER["PHP_SELF"]);

And that’s a normal XSS attack.

More info:
Info

Answer:

I was using $_SERVER['PHP_SELF'] in an href tag, so that’s where the JavaScript was triggered.

The solution is simple. I run PHP_SELF through a filter before using, and any passed garbage is cleaned and safe to use on the page.

Answer:

The previous answers is already ok but for some reason htmlspecialchars() do not filter single quote. If you need to filter single quotes you will need to add a parameter in htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES)

Answer:

How do I protect against unexpected data quoted below the first
paragraph above?

filter_input( INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_FULL_SPECIAL_CHARS );

Thanks, for @Sverri M. Olsen
for expaining why to use filter_input instead of superglobals

https://stackoverflow.com/a/15103555/11173494

Also, is there a specific name for this type of XSS attack?

This is Stored XSS. The hacker could construct custom query to attack user by store malicious code.

@Sandeep Nair expained the difference between Stored XSS and Reflected XSS

https://stackoverflow.com/a/48893119/11173494

Answer:

strip_tags() function may help.
For example:

$str = 'index.php?id=<script>alert(1)</script>';    
echo "<pre>";
echo strip_tags($str), "\n";

The above will output:

index.php?id=alert(1)