WebApp Sec mailing list archives
Re: XSS help
From: focus () karsites net
Date: Mon, 9 Aug 2004 19:14:51 +0000 (GMT)
Because the coder hasn't taken precautions to clean the input, it will happily output the Javascript you've given it so that the browser will execute it, but it will not execute any PHP code - it'll just get returned to the browser as-is.
--- You need to turn register_globals off in php.ini, and check the content of each variable passed to the php script, before using it. At the start of each php script check the expected values of your variables. After that - only refer to the checked values in your script, as they should be clean. If any unexpected values are found, abort the script. Eg: <HTML> <HEAD> <META name="description" content="Free online mutual exchange register for Kings Lynn area and surrounding villages. For use by council or housing association tenants only"> <TITLE> </TITLE> <LINK REL="stylesheet" HREF="./muxreg.css" TYPE="text/css"> </HEAD> <!-- ========================================================== --> <BODY> <A NAME="top"></A> <?php // straight into php4 mode /*----------------------------------------------------------------------*/ // put the URL query string into global scope $v_url_string = $_SERVER["QUERY_STRING"]; /*----------------------------------------------------------------------*/ // global form variables & semicolon & xss checking functions include "./com_3.hml"; /*----------------------------------------------------------------------*/ // get hidden POST variables from form1.hml or form1_b.hml // including the submit button, and put into global scope! $v_debug_value = $_POST["v_debug_value"]; $v_table_output = $_POST["v_table_output"]; $v_advcd_search = $_POST["v_advcd_search"]; $v_submit_form = $_POST["v_submit_form"]; // check contents of hidden variables for any hacking ON_OFF_check($v_debug_value, 'v_debug_value'); ON_OFF_check($v_table_output, 'v_table_output'); ON_OFF_check($v_advcd_search, 'v_advcd_search'); submit_form_check($v_submit_form, 'v_submit_form'); /*----------------------------------------------------------------------*/ // get POST variables specific to form1.hml // simple search form and put into global scope! if ('OFF' == $v_advcd_search) { $v_ref_number = $_POST["v_ref_number"]; $v_wants_property = $_POST["v_wants_property"]; $v_wants_area = $_POST["v_wants_area"]; $v_wants_bedrooms = $_POST["v_wants_bedrooms"]; $v_wants_landlord = $_POST["v_wants_landlord"]; $v_wants_heating = $_POST["v_wants_heating"]; $v_wants_garden = $_POST["v_wants_garden"]; // check contents of above form variables for any hacking $v_ref_number = string_check($v_ref_number, 'v_ref_number'); property_check($v_wants_property, 'v_wants_property'); area_check($v_wants_area, 'v_wants_area'); bedrooms_check($v_wants_bedrooms, 'v_wants_bedrooms'); landlord_check($v_wants_landlord, 'v_wants_landlord'); heating_check($v_wants_heating, 'v_wants_heating'); garden_check($v_wants_garden, 'v_wants_garden'); } /*----------------------------------------------------------------------*/ -- snip -- checking functions in com_3.hml <HTML> <HEAD> <TITLE> </TITLE> </HEAD> <!-- ========================================================== --> <BODY> <?php // into php4 mode /*-------------------------------------------------------------*/ // Call this function at the start of each script to identify the string // find_txt (in lowercase, uppercase, or any combination of case) (or single // character) hidden inside form variables posted to the server, and terminate // this script if found. // $v_var is variable to check // $v_varname is text string name of variable // $v_find_txt is the string to look for in $v_var function string_hacking_check($v_var, $v_varname, $v_find_txt) { $v_str1 = strtolower($v_var); $v_str2 = strtolower($v_find_txt); $v_found = strchr($v_str1, "$v_str2"); if ('' <> $v_found) { echo "<P> The character or word <FONT COLOR='red'> $v_find_txt </FONT>". "was found in your <FONT COLOR='blue'> $v_varname </FONT> variable <BR>". "This is NOT valid input -> <FONT COLOR='red'> $v_var </FONT> <BR>". "Program terminating now - Please try again"; exit(); } } // end of function string_hacking_check($v_var) /*-------------------------------------------------------------*/ // function to remove any invalid characters from form input // variables without terminating the script being checked // $v_var is variable to check for invalid characters function strip_invalid_chars($v_var) { $v_new_txt = strtolower($v_var); ///////////////////////////////// // strip escaped characters $v_new_txt = str_replace("\'", "", $v_new_txt); $v_new_txt = str_replace("\"", "", $v_new_txt); $v_new_txt = str_replace("\\", "", $v_new_txt); ///////////////////////////////// // strip unwanted ordinary characters $v_new_txt = str_replace("/", "", $v_new_txt); $v_new_txt = str_replace(";", "", $v_new_txt); $v_new_txt = str_replace("***", "", $v_new_txt); $v_new_txt = str_replace("aBc", "", $v_new_txt); return $v_new_txt; } // end of function strip_invalid_chars($v_var) /*-------------------------------------------------------------*/ // function to strip a string from a form variable WITHOUT terminating the // script. String may be in lowercase, uppercase, or any combination. // $v_var is variable to check // $v_varname is the text-string-name of the variable // $v_txt_str is the string to strip from $v_var function strip_invalid_string($v_var, $v_varname, $v_txt_str) { $v_new_txt = trim($v_var); $v_str1 = strtolower($v_new_txt); $v_str2 = strtolower($v_txt_str); $v_new_txt = str_replace($v_str2, "", $v_str1); if ('v_name' == $v_varname) $v_new_txt = ucwords($v_new_txt); if ('v_address' == $v_varname) $v_new_txt = ucwords($v_new_txt); if ('v_post_code' == $v_varname) $v_new_txt = strtoupper($v_new_txt); if ('v_phone_number' == $v_varname) $v_new_txt = strtoupper($v_new_txt); if ('v_extra_info' == $v_varname) $v_new_txt = ucwords($v_new_txt); if ('****' == $v_varname) $v_new_txt = $v_var; return $v_new_txt; } // end of function strip_invalid_string($v_var) /*-------------------------------------------------------------*/ // // the following functions are used to check the validity of form variables // // for variable where the input is NOT KNOWN in advance use, // eg. string_check($v_ref_number, 'v_ref_number'); // eg. string_check($v_name, 'v_name'); // eg. string_check($v_address, 'v_address'); // for variable whose input is KNOWN in advance use the checking functions // for each variable, // eg. property_check($v_has_property, 'v_has_property'); // eg. property_check($v_wants_property, 'v_wants_property'); // eg. property_check($v_wants_property_1, 'v_wants_property_1'); // // eg. ON_OFF_check($v_debug_value, 'v_debug_value'); // eg. Y_N_check($v_has_careline, 'v_has_careline'); // /*-------------------------------------------------------------*/ /* check for unknown input from form variables */ // $v_var is variable to check // $v_txt is text-string-name of variable function string_check($v_var, $v_txt) { // strip out any php or html tags first $v_var = strip_tags($v_var); // check for other known hacking strings and STOP script if found // add as many more checks here as needed // string_hacking_check($v_var, $v_txt, 'here'); // string_hacking_check($v_var, $v_txt, 'there'); // string_hacking_check($v_var, $v_txt, 'and everywhere'); // strip characters or strings from form variables // WITHOUT stopping the script - extend this part as required // strip out invalid control characters first $v_new_str = strip_invalid_chars($v_var); // strip invalid strings from form variables $v_new_str = strip_invalid_string($v_new_str, $v_txt, ''); // $v_new_str = strip_invalid_string($v_new_str, $v_txt, 'ZZZ'); return $v_new_str; } // end of function string_check($v_var) /*-------------------------------------------------------------*/ // the following checking functions should be self-explanatory! // $v_var is variable to check // $v_txt is text-string-name of variable function property_check($v_var, $v_txt) { // initialise checked_OK variable $v_checked_OK = 'NO'; if ('' == $v_var OR 'House' == $v_var OR 'Bungalow' == $v_var OR 'Bedsit' == $v_var OR 'Downstairs Flat' == $v_var OR 'Downstairs Maisonette' == $v_var OR 'Upstairs Flat' == $v_var OR 'Upstairs Maisonette' == $v_var OR 'Y' == $v_var OR 'N' == $v_var) $v_checked_OK = 'YES'; if ( 'NO' == $v_checked_OK) { echo "<P> There is bad input in your <FONT COLOR='blue'> $v_txt </FONT> variable <BR>" . "This is NOT valid input -> <FONT COLOR='red'> $v_var </FONT> <BR>". "Program terminating now - Please try again"; exit(); } } // end of function property_check($v_var, $v_txt) /*-------------------------------------------------------------*/ // $v_var is variable to check // $v_txt is text-string-name of variable function landlord_check($v_var, $v_txt) { // initialise checked_OK variable $v_checked_OK = 'NO'; if ('' == $v_var OR 'BCKLWN' == $v_var OR 'Housing Association' == $v_var OR 'Y' == $v_var OR 'N' == $v_var) $v_checked_OK = 'YES'; if ( 'NO' == $v_checked_OK) { echo "<P> There is bad input in your <FONT COLOR='blue'> $v_txt </FONT> variable <BR>" . "This is NOT valid input -> <FONT COLOR='red'> $v_var </FONT> <BR>". "Program terminating now - Please try again"; exit(); } } // end of function landlord_check($v_var, $v_txt) /*-------------------------------------------------------------*/ // $v_var is variable to check // $v_txt is text-string-name of variable function area_check($v_var, $v_txt) { // initialise checked_OK variable $v_checked_OK = 'NO'; if ('' == $v_var OR 'South Lynn' == $v_var OR 'North Lynn' == $v_var OR 'Central' == $v_var OR 'Marsh Lane' == $v_var OR 'Gaywood' == $v_var OR 'Fairstead' == $v_var OR 'South Wotton' == $v_var OR 'North Wotton' == $v_var OR 'Villages' == $v_var OR 'Y' == $v_var OR 'N' == $v_var) $v_checked_OK = 'YES'; if ( 'NO' == $v_checked_OK) { echo "<P> There is bad input in your <FONT COLOR='blue'> $v_txt </FONT> variable <BR>" . "This is NOT valid input -> <FONT COLOR='red'> $v_var </FONT> <BR>". "Program terminating now - Please try again"; exit(); } } // end of function area_check($v_var, $v_txt) /*-------------------------------------------------------------*/ function garden_check($v_var, $v_txt) { // initialise checked_OK variable $v_checked_OK = 'NO'; if ('' == $v_var OR 'None' == $v_var OR 'Small' == $v_var OR 'Medium' == $v_var OR 'Large' == $v_var OR 'Any size' == $v_var) $v_checked_OK = 'YES'; if ( 'NO' == $v_checked_OK) { echo "<P> There is bad input in your <FONT COLOR='blue'> $v_txt </FONT> variable <BR>" . "This is NOT valid input -> <FONT COLOR='red'> $v_var </FONT> <BR>". "Program terminating now - Please try again"; exit(); } } // end of function garden_check($v_var, $v_txt) /*-------------------------------------------------------------*/ // $v_var is variable to check // $v_txt is text-string-name of variable function ON_OFF_check($v_var, $v_txt) { // initialise checked_OK variable $v_checked_OK = 'NO'; if ('' == $v_var OR 'ON' == $v_var OR 'OFF' == $v_var) $v_checked_OK = 'YES'; if ( 'NO' == $v_checked_OK) { echo "<P> There is bad input in your <FONT COLOR='blue'> $v_txt </FONT> variable <BR>" . "This is NOT valid input -> <FONT COLOR='red'> $v_var </FONT> <BR>". "Program terminating now - Please try again"; exit(); } } // end of function ON_OFF_check($v_var, $v_txt) /*-------------------------------------------------------------*/ // $v_var is variable to check // $v_txt is text-string-name of variable function Y_N_check($v_var, $v_txt) { // initialise checked_OK variable $v_checked_OK = 'NO'; if ('' == $v_var OR 'Y' == $v_var OR 'N' == $v_var OR 'YES' == $v_var OR 'NO' == $v_var OR 'NOP' == $v_var OR 'NULL' == $v_var) $v_checked_OK = 'YES'; if ( 'NO' == $v_checked_OK) { echo "<P> There is bad input in your <FONT COLOR='blue'> $v_txt </FONT> variable <BR>" . "This is NOT valid input -> <FONT COLOR='red'> $v_var </FONT> <BR>". "Program terminating now - Please try again"; exit(); } } // end of function Y_N_check($v_var, $v_txt) /*-------------------------------------------------------------*/ // $v_var is variable to check // $v_txt is text-string-name of variable function submit_form_check($v_var, $v_txt) { // initialise checked_OK variable $v_checked_OK = 'NO'; if ('' == $v_var OR 'YES' == $v_var OR 'NO' == $v_var OR 'NOP' == $v_var OR 'Search database' == $v_var OR 'Add this comment to database' == $v_var OR 'click here to find your record in the database' == $v_var) $v_checked_OK = 'YES'; if ( 'NO' == $v_checked_OK) { echo "<P> There is bad input in your <FONT COLOR='blue'> $v_txt </FONT> variable <BR>" . "This is NOT valid input -> <FONT COLOR='red'> $v_var </FONT> <BR>". "Program terminating now - Please try again"; exit(); } } // end of function submit_form_check($v_var, $v_txt) /*-------------------------------------------------------------*/ // $v_var is variable to check // $v_txt is text-string-name of variable function caller_check($v_var, $v_txt) { // initialise checked_OK variable $v_checked_OK = 'NO'; if ('' == $v_var OR 'admin' == $v_var OR 'view' == $v_var OR 'update' == $v_var OR 'delete' == $v_var OR 'dba_dr' == $v_var OR 'find_rec' == $v_var OR 'find_com' == $v_var OR 'viz_rec' == $v_var OR 'viz_com' == $v_var) $v_checked_OK = 'YES'; if ( 'NO' == $v_checked_OK) { echo "<P> There is bad input in your <FONT COLOR='blue'> $v_txt </FONT> variable <BR>" . "This is NOT valid input -> <FONT COLOR='red'> $v_var </FONT> <BR>". "Program terminating now - Please try again"; exit(); } } // end of function caller_check($v_var, $v_txt) /*-------------------------------------------------------------*/ // $v_var is variable to check // $v_txt is text-string-name of variable // a wrapper for caller_check() above function returner_check($v_var, $v_txt) { caller_check($v_var, $v_txt); } // end of function returner_check($v_var, $v_txt) /*-------------------------------------------------------------*/ HTH - Keith
Current thread:
- XSS help Serg B. (Aug 09)
- Re: XSS help Dan Daggett (Aug 09)
- Re: XSS help David Precious (Aug 09)
- RE: XSS help Mike Andrews (Aug 09)
- Re: XSS help Serg B. (Aug 09)
- RE: XSS help Matt Szubrycht (Aug 09)
- Re: XSS help Blake Schneider (Aug 13)
- unsubsribe Riccardo Tempesta (Aug 17)
- <Possible follow-ups>
- Re: XSS help focus (Aug 09)