Mike Willbanks : getting into the mind of a php developer.

• Home
• Archive
• About

Recent Articles

• Helping to Pay for Drizzle.org
  October 27, 2008
• Update To My Readers...
  September 15, 2008
• My Desktop Welcomes Kubuntu
  June 22, 2008
• PHP Performance Series: Maximizing Your MySQL Database
  June 18, 2008
• PHP Performance Series: Caching Techniques
  February 27, 2008

Recent Comments

• 15 Quick Ways to Shrink Page Load Times
  on PHP Performance Series: Caching Techniques
• Which PHP Optimizer do you use? - vBulletin SEO Forums
  on PHP Accelerators : APC vs Zend vs XCache with Zend Framework
• Joost Pluijmers
  on PHP Performance Series: Maximizing Your MySQL Database
• CyberGhost
  on PHP Performance Series: Maximizing Your MySQL Database
• Mike Willbanks
  on PHP Performance Series: Maximizing Your MySQL Database

Resources

• 
  PHP Books for PHP Programmers

Non-Standard HTML Fuels XSS Attacks

May 6, 2007

To start off with this post I feel that I should define XSS:
XSS (Cross-site scripting) is a security vulnerability which allows code injection into web pages viewed by other users.

While doing some coding research the other day I found an interesting XSS attack that I have not thought of previously due to working primarily standards based XHTML. Through the usage of non-standards based html or xhtml, XSS attacks can be fueled easier; even with using htmlspecialchars or htmlentities you can run into problems. Since I like to show by examples so see the following segment.

Say you are taking in user input and putting it into a link but you also use it for display on the page. This input doesn’t have any strict input so the choice was made to use htmlentities or htmlspecialchars to escape the input:

if (isset($_GET['user_input'])) {
    $user_input = htmlentities($_GET['user_input'], ENT_QUOTES);
    echo "<a href=next_page.php?input={$user_input}>{$user_input}";
} else {
    echo '<form action="" method="get"><input type="text" name="user_input"/></form>';
}
</a>

Now at first you may see nothing wrong with the above input as the htmlentities will escape most XSS attacks in this case. However, if you look at the href tag notice that there are no quotes around it. Using htmlentities it will allow the user to enter spaces and it will not be translated into the equivalent entity.

Say I enter the input as ” onclick=alert(null);” notice I can now execute javascript when a user clicks on the link. Sure this is only popping up an alert box but much more could easily be crafted in to this area. One thing that could be done is to use the php fuction urlencode which will encode the input for a url. This should help for the midterm but the best approach would be to standardize the html to utilize quotes as well as using other functions such as urlencode for html. An even better solution would be to filter the users input to only allow for the information that you are checking for.

I am positive that there are several sites that have this type of problem associated with it. As many sites already have XSS attacks present and many people fail to see the vast problem that this can create. However, if you do your research, finding information is quite easy to see that these attacks can be extremely harmful.

7 Comments

Copyright © 2007 Mike Willbanks, Zend Certified Engineer. All Rights Reserved.