I had someone run a pentest against an application recently and one of the critical problems it found was when some garbage was passed in a URL like this:
http://example.com/index.php/ %27%3e%3c%69%4d%67%20%53%72%43%3d%78%20%4f%6e%45%72%52%6f%52%3d%61%6c%65% 72%74%28%34%37%34%31%32%29%3e
How do I code against it? I am already cleaning all expected user inputs (such as when a user passes
index.php?id=<script>alert(1)</script>). That part works fine.
How do I protect against unexpected data quoted below the first paragraph above? (Also, is there a specific name for this type of XSS attack?)
Be carefull with the use of
You should do
And that’s a normal XSS attack.
I was using
$_SERVER['PHP_SELF'] in an
The solution is simple. I run
PHP_SELF through a filter before using, and any passed garbage is cleaned and safe to use on the page.
The previous answers is already ok but for some reason
htmlspecialchars() do not filter single quote. If you need to filter single quotes you will need to add a parameter in
How do I protect against unexpected data quoted below the first
filter_input( INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
Thanks, for @Sverri M. Olsen
for expaining why to use
filter_input instead of superglobals
Also, is there a specific name for this type of XSS attack?
This is Stored XSS. The hacker could construct custom query to attack user by store malicious code.
@Sandeep Nair expained the difference between Stored XSS and Reflected XSS
strip_tags() function may help.
$str = 'index.php?id=<script>alert(1)</script>'; echo "<pre>"; echo strip_tags($str), "\n";
The above will output: