RE: CROSS SITE-SCRIPTING Protection with PHP

["b0iler _" <b0iler () hotmail com>]

> I am searching for a robust and easy way to protect all the PHP sites 
> against XSS attacks. I would like to see more and better ways ?!

It is close to impossible to protect all php scripts from XSS, this is
because scripting can be interpreted in so many different ways by browsers.
I plan on writting a paper on how to evade script filtering in web
applications soon.  I hope this stops people from relying on
htmlspecialchars() to save them from XSS.  This will not protect
you from all scripting attacks!

Also, you are just sending the inputed values of parameters.  What about the
names of the parameter (the $key variables)?  They could contain potentially
dangerous XSS which is often printed to the client.  Also, user input (GPC)
is not the only tainted data in a script.  Any data that comes from an
outside source is potientally dangerous. Files, databases, ENV variables,
etc.. need to be treated as if it contains the most clever tricks to evade
your filtering and protection schemes.

XSS, script injection, file writting, etc (any output problem) should all be
solved by output filters.  Doing input filtering does no good if the string
can be manipulated or other values printed to the output from within the
script.  Best solution I've seen based on the idea Sverre H. Huseby brought
up of keeping the tainted (variable - anything that could be changed by an
attacker or could hold unsafe data) and safe (static - defined within the
script or known to be safe) data seperate and then filtering the possibly
tainted data as a whole before output.

A universal solution to XSS or almost any security problem is not possible.
This is because you need to concider function aswell as security.  Being 
able
to not allow [^a-zA-Z0-9] is great, but this limits things severely.  I 
don't
think it is a good to be giving programmers the idea that security can be
solved by pasting in a few lines of code in their programs.  Instead they
should be aware of the security issues, and have to come up with dynamic
solutions themselves.  Make them think, they are programmers after all.

> Ok, I'm no PHP guru, but I'd sure like to see this coded in PHP.  Anyone
> take a stab at it yet?

$value = preg_replace("%[^a-zA-Z0-9]%", ' ', $value);

Personally, I signed up to this list to get vulnerability devolopment
disscussion.  I do not know how this thread would ever pass as that.

--
please use b0iler ^^at^^ eyeonsecurity.net my smtp is just acting up atm.
http://b0iler.eyeonsecurity.net

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com