WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: XSS, SQL injection etc - permutations of input strings

From: focus () karsites net
Date: Fri, 24 Sep 2004 21:04:13 +0000 (GMT)

Thankyou for your comments Devdas.

On Wed, 22 Sep 2004, Devdas Bhagat wrote:


To: webappsec () securityfocus com
From: Devdas Bhagat <devdas () dvb homelinux org>
Subject: Re: XSS, SQL injection etc - permutations of input strings

Actually, there are two types of user input, untrusted and untrusted.
You are assuming that the only input possible is via the browser
interface.
What happens if that is bypassed?


No - if an attacker creates some custom attack forms on
their machine , and POST's them to the appropriate pages on
my server, all the checking functions are still waiting to
check user I/P at the server end (see examples further
down)- So I don't do hacking checks in J/S at the Browser
end, as you rightly point out - that can be by-passed!


I use php on my server, and do not allow passing of values
in the URL query string - probably a bit to restrictive for
most sites that like to pass the session ID in the URL.


So you block http get?


Yes - if you take a look at www.karsites.net - I use the
following function (in php on the server) to block any GET's
that try to pass values in the URL. GET's without URL
variables are accepted.

At the start of each script you will need to put:

// get the URL query string and put into global scope!
$v_url_string = $_SERVER["QUERY_STRING"];

/*-------------------------------------------------------------*/

/* Call this function at the start of each script to detect
   and stop unexpected variables from being passed
   with the 'GET' URL query string. */

function url_check($v_url_string)
{
 if ('' != $v_url_string)
 {
  echo '<P> Passing of variables by URL query string is not supported! <BR>'.
       'Program terminating now - Please try again';
  echo '<P> Found in URL -> ' . $v_url_string . '<BR>';
  exit();
 }
}
/*-------------------------------------------------------------*/

I suppose the above fuction may be adapted to do alot less
restrictive URL checking, and just allow a SID to be passed;
anything else - terminate the script.

Or - even call other checking functions as per examples
below, to check URL variable names and content. I found it
alot easier to scrap passing of variables in the GET
method, and just focus on the POST vars instead.

(I also use POST to force a reload of the pages, as GET
sometimes comes from a cache, which would mean old
dynamic pages being served up to the user).



  string_check($v_ref_number, 'v_ref_number');
  property_check($v_wants_property, 'v_wants_property');
  area_check($v_wants_area, 'v_wants_area');
  Y_N_check($v_wants_careline, 'v_wants_careline');
  Y_N_check($v_wants_pics, 'v_wants_pics');

Once all the inputs have been checked at the start of the
script, then I only refer to the checked and validated
values in the php variables. I do not refer to the values in
$_POST["v_name"] , as these contain the unchecked values.


A good way of doing things. Personally, I would prefer an interface like
$untainted_variable = check(type, variable)
where the check method knows about the appropriate bounds for 'type'.


Yes - that is another way of doing the checking - or maybe
something similar to:

 $untainted_var1 = input_type_check($_POST["var1"], 'var1_name');

 $v_wants_area = area_check($_POST["v_wants_area"], 'v_wants_area');


Here are a few of the custom php checking functions I use to
check certain types of user I/P - they are a bit verbose and
in need of optimisation (The error message part could be
made into a seperate function, to reduce code size).

// Called via string_check() at the start of each script, to identify the string
// find_txt (in lowercase, uppercase, or any combination of case) (or single
// character) hidden inside form variables posted to the server, and terminate
// this script if found.

// $v_var is variable to check
// $v_varname is text string name of variable
// $v_find_txt is the string to look for in $v_var

function string_hacking_check($v_var, $v_varname, $v_find_txt)
{
 $v_str1 = strtolower($v_var);
 $v_str2 = strtolower($v_find_txt);

 $v_found = strchr($v_str1, "$v_str2");

 if ('' <> $v_found)
 {
  echo "<P> The character or word <FONT COLOR='red'> $v_find_txt </FONT>".
       "was found in your <FONT COLOR='blue'> $v_varname </FONT> variable <BR>".
       "This is NOT valid input -> <FONT COLOR='red'> $v_var </FONT> <BR>".
       "Program terminating now - Please try again";
  exit();
 }
} // end of function string_hacking_check($v_var)
/*-------------------------------------------------------------*/

// function to remove any invalid characters from form input
// variables without terminating the script being checked

// $v_var is variable to check for invalid characters

function strip_invalid_chars($v_var)
{
 $v_new_txt = strtolower($v_var);

 /////////////////////////////////
 // strip escaped characters
 $v_new_txt = str_replace("\'", "", $v_new_txt);
 $v_new_txt = str_replace("\"", "", $v_new_txt);
 $v_new_txt = str_replace("\\", "", $v_new_txt);

 /////////////////////////////////
 // strip unwanted ordinary characters

 $v_new_txt = str_replace("/", "", $v_new_txt);
 $v_new_txt = str_replace(";", "", $v_new_txt);
 // test data
 $v_new_txt = str_replace("***", "", $v_new_txt);
 $v_new_txt = str_replace("aBc", "", $v_new_txt);

 return $v_new_txt;

} // end of function strip_invalid_chars($v_var)
/*-------------------------------------------------------------*/

// function to strip a string from a form variable WITHOUT terminating the
// script. String may be in lowercase, uppercase, or any combination.
// this function is called from string_check(...) below
//
// $v_var is variable to check
// $v_varname is the text-string-name of the variable
// $v_txt_str is the string to strip from $v_var

function strip_invalid_string($v_var, $v_varname, $v_txt_str)
{
 $v_new_txt = trim($v_var);

 $v_str1 = strtolower($v_new_txt);
 $v_str2 = strtolower($v_txt_str);

 $v_new_txt = str_replace($v_str2, "", $v_str1);

 if ('v_name' == $v_varname)
  $v_new_txt = ucwords($v_new_txt);

 if ('v_address' == $v_varname)
  $v_new_txt = ucwords($v_new_txt);

 if ('v_post_code' == $v_varname)
  $v_new_txt = strtoupper($v_new_txt);

 if ('v_phone_number' == $v_varname)
  $v_new_txt = strtoupper($v_new_txt);

 if ('v_extra_info' == $v_varname)
  $v_new_txt = ucwords($v_new_txt);

 if ('****' == $v_varname)
  $v_new_txt = $v_var;

 return $v_new_txt;

} // end of function strip_invalid_string($v_var)
/*-------------------------------------------------------------*/

/* check for unknown input from form variables  */

// $v_var is variable to check
// $v_txt is text-string-name of variable

function string_check($v_var, $v_txt)
{
 // strip out any php or html tags first
 $v_var = strip_tags($v_var);

 // check for other known hacking strings and STOP script if found
 // add as many more checks here as needed

 // string_hacking_check($v_var, $v_txt, 'here');
 // string_hacking_check($v_var, $v_txt, 'there');
 // string_hacking_check($v_var, $v_txt, 'and everywhere');

 // strip characters or strings from form variables
 // WITHOUT stopping the script - extend this part as required

 // strip out invalid control characters first
 $v_new_str = strip_invalid_chars($v_var);

 // strip invalid strings from form variables
 $v_new_str = strip_invalid_string($v_new_str, $v_txt, '');
 // $v_new_str = strip_invalid_string($v_new_str, $v_txt, 'ZZZ');

 return $v_new_str;

} // end of function string_check($v_var)
/*-------------------------------------------------------------*/

// the following checking functions should be self-explanatory!

// $v_var is variable to check
// $v_txt is text-string-name of variable

function property_check($v_var, $v_txt)
{
 // initialise checked_OK variable
 $v_checked_OK = 'NO';

 if ('' == $v_var
     OR 'House' == $v_var
     OR 'Bungalow' == $v_var
     OR 'Bedsit' == $v_var
     OR 'Downstairs Flat' == $v_var
     OR 'Downstairs Maisonette' == $v_var
     OR 'Upstairs Flat' == $v_var
     OR 'Upstairs Maisonette' == $v_var
     OR 'Y' == $v_var
     OR 'N' == $v_var)

     $v_checked_OK = 'YES';

 if ( 'NO' == $v_checked_OK)
 {
  echo "<P> There is bad input in your <FONT COLOR='blue'> $v_txt </FONT> variable <BR>" .
       "This is NOT valid input  -> <FONT COLOR='red'> $v_var </FONT> <BR>".
       "Program terminating now - Please try again";
  exit();
 }
} // end of function property_check($v_var, $v_txt)
/*-------------------------------------------------------------*/

// $v_var is variable to check
// $v_txt is text-string-name of variable

function area_check($v_var, $v_txt)
{
 // initialise checked_OK variable
 $v_checked_OK = 'NO';

 if ('' == $v_var
     OR 'South Lynn' == $v_var
     OR 'North Lynn' == $v_var
     OR 'Central' == $v_var
     OR 'Marsh Lane' == $v_var
     OR 'Gaywood' == $v_var
     OR 'Fairstead' == $v_var
     OR 'South Wotton' == $v_var
     OR 'North Wotton' == $v_var
     OR 'Villages' == $v_var
     OR 'Y' == $v_var
     OR 'N' == $v_var)

     $v_checked_OK = 'YES';

 if ( 'NO' == $v_checked_OK)
 {
  echo "<P> There is bad input in your <FONT COLOR='blue'> $v_txt </FONT> variable <BR>" .
       "This is NOT valid input  -> <FONT COLOR='red'> $v_var </FONT> <BR>".
       "Program terminating now - Please try again";
  exit();
 }
} // end of function area_check($v_var, $v_txt)
/*-------------------------------------------------------------*/

You may use these checking functions ENTIRELY AT YOUR OWN RISK!

Kind Regards - Keith Roberts
Previous By Date Next
Previous By Thread Next

Current thread: