WebApp Sec mailing list archives
RE: XSS, SQL injection etc - permutations of input strings
From: "Michael Silk" <michaels () phg com au>
Date: Tue, 28 Sep 2004 14:18:15 +1000
Hi Keith,
Of course by simply printing out exactly what is posted to you
on error (i.e. GET instead of POST, etc) you
leave yourself open to silly forms of xss... Specifically:
Hi keith, click here:
[http://www.karsites.net/KAR/websites/live/muxreg/anyuser/search.hml?v_s
ubmit_form=<script>alert(document.cookie)</script>] to visit your site!
-- Michael
-----Original Message-----
From: focus () karsites net [mailto:focus () karsites net]
Sent: Saturday, 25 September 2004 7:04 AM
To: webappsec () securityfocus com
Subject: Re: XSS, SQL injection etc - permutations of input strings
Thankyou for your comments Devdas.
On Wed, 22 Sep 2004, Devdas Bhagat wrote:
To: webappsec () securityfocus com From: Devdas Bhagat <devdas () dvb homelinux org> Subject: Re: XSS, SQL injection etc - permutations of input strings Actually, there are two types of user input, untrusted and untrusted. You are assuming that the only input possible is via the browser interface. What happens if that is bypassed?
No - if an attacker creates some custom attack forms on their machine , and POST's them to the appropriate pages on my server, all the checking functions are still waiting to check user I/P at the server end (see examples further down)- So I don't do hacking checks in J/S at the Browser end, as you rightly point out - that can be by-passed!
I use php on my server, and do not allow passing of values in the URL query string - probably a bit to restrictive for most sites that
like to pass the session ID in the URL.So you block http get?
Yes - if you take a look at www.karsites.net - I use the following
function (in php on the server) to block any GET's that try to pass
values in the URL. GET's without URL variables are accepted.
At the start of each script you will need to put:
// get the URL query string and put into global scope!
$v_url_string = $_SERVER["QUERY_STRING"];
/*-------------------------------------------------------------*/
/* Call this function at the start of each script to detect
and stop unexpected variables from being passed
with the 'GET' URL query string. */
function url_check($v_url_string)
{
if ('' != $v_url_string)
{
echo '<P> Passing of variables by URL query string is not supported!
<BR>'.
'Program terminating now - Please try again';
echo '<P> Found in URL -> ' . $v_url_string . '<BR>';
exit();
}
}
/*-------------------------------------------------------------*/
I suppose the above fuction may be adapted to do alot less restrictive
URL checking, and just allow a SID to be passed; anything else -
terminate the script.
Or - even call other checking functions as per examples below, to check
URL variable names and content. I found it alot easier to scrap passing
of variables in the GET method, and just focus on the POST vars instead.
(I also use POST to force a reload of the pages, as GET sometimes comes
from a cache, which would mean old dynamic pages being served up to the
user).
string_check($v_ref_number, 'v_ref_number'); property_check($v_wants_property, 'v_wants_property'); area_check($v_wants_area, 'v_wants_area'); Y_N_check($v_wants_careline, 'v_wants_careline'); Y_N_check($v_wants_pics, 'v_wants_pics'); Once all the inputs have been checked at the start of the script, then I only refer to the checked and validated values in the php variables. I do not refer to the values in $_POST["v_name"] , as these contain the unchecked values.A good way of doing things. Personally, I would prefer an interface like $untainted_variable = check(type, variable) where the check method knows about the appropriate bounds for 'type'.
Yes - that is another way of doing the checking - or maybe something
similar to:
$untainted_var1 = input_type_check($_POST["var1"], 'var1_name');
$v_wants_area = area_check($_POST["v_wants_area"], 'v_wants_area');
Here are a few of the custom php checking functions I use to check
certain types of user I/P - they are a bit verbose and in need of
optimisation (The error message part could be made into a seperate
function, to reduce code size).
// Called via string_check() at the start of each script, to identify
the string // find_txt (in lowercase, uppercase, or any combination of
case) (or single // character) hidden inside form variables posted to
the server, and terminate // this script if found.
// $v_var is variable to check
// $v_varname is text string name of variable // $v_find_txt is the
string to look for in $v_var
function string_hacking_check($v_var, $v_varname, $v_find_txt) {
$v_str1 = strtolower($v_var);
$v_str2 = strtolower($v_find_txt);
$v_found = strchr($v_str1, "$v_str2");
if ('' <> $v_found)
{
echo "<P> The character or word <FONT COLOR='red'> $v_find_txt
</FONT>".
"was found in your <FONT COLOR='blue'> $v_varname </FONT>
variable <BR>".
"This is NOT valid input -> <FONT COLOR='red'> $v_var </FONT>
<BR>".
"Program terminating now - Please try again";
exit();
}
} // end of function string_hacking_check($v_var)
/*-------------------------------------------------------------*/
// function to remove any invalid characters from form input //
variables without terminating the script being checked
// $v_var is variable to check for invalid characters
function strip_invalid_chars($v_var)
{
$v_new_txt = strtolower($v_var);
/////////////////////////////////
// strip escaped characters
$v_new_txt = str_replace("\'", "", $v_new_txt); $v_new_txt =
str_replace("\"", "", $v_new_txt); $v_new_txt = str_replace("\\", "",
$v_new_txt);
/////////////////////////////////
// strip unwanted ordinary characters
$v_new_txt = str_replace("/", "", $v_new_txt); $v_new_txt =
str_replace(";", "", $v_new_txt); // test data $v_new_txt =
str_replace("***", "", $v_new_txt); $v_new_txt = str_replace("aBc", "",
$v_new_txt);
return $v_new_txt;
} // end of function strip_invalid_chars($v_var)
/*-------------------------------------------------------------*/
// function to strip a string from a form variable WITHOUT terminating
the // script. String may be in lowercase, uppercase, or any
combination.
// this function is called from string_check(...) below // // $v_var is
variable to check // $v_varname is the text-string-name of the variable
// $v_txt_str is the string to strip from $v_var
function strip_invalid_string($v_var, $v_varname, $v_txt_str) {
$v_new_txt = trim($v_var);
$v_str1 = strtolower($v_new_txt);
$v_str2 = strtolower($v_txt_str);
$v_new_txt = str_replace($v_str2, "", $v_str1);
if ('v_name' == $v_varname)
$v_new_txt = ucwords($v_new_txt);
if ('v_address' == $v_varname)
$v_new_txt = ucwords($v_new_txt);
if ('v_post_code' == $v_varname)
$v_new_txt = strtoupper($v_new_txt);
if ('v_phone_number' == $v_varname)
$v_new_txt = strtoupper($v_new_txt);
if ('v_extra_info' == $v_varname)
$v_new_txt = ucwords($v_new_txt);
if ('****' == $v_varname)
$v_new_txt = $v_var;
return $v_new_txt;
} // end of function strip_invalid_string($v_var)
/*-------------------------------------------------------------*/
/* check for unknown input from form variables */
// $v_var is variable to check
// $v_txt is text-string-name of variable
function string_check($v_var, $v_txt)
{
// strip out any php or html tags first $v_var = strip_tags($v_var);
// check for other known hacking strings and STOP script if found //
add as many more checks here as needed
// string_hacking_check($v_var, $v_txt, 'here'); //
string_hacking_check($v_var, $v_txt, 'there'); //
string_hacking_check($v_var, $v_txt, 'and everywhere');
// strip characters or strings from form variables // WITHOUT stopping
the script - extend this part as required
// strip out invalid control characters first $v_new_str =
strip_invalid_chars($v_var);
// strip invalid strings from form variables $v_new_str =
strip_invalid_string($v_new_str, $v_txt, ''); // $v_new_str =
strip_invalid_string($v_new_str, $v_txt, 'ZZZ');
return $v_new_str;
} // end of function string_check($v_var)
/*-------------------------------------------------------------*/
// the following checking functions should be self-explanatory!
// $v_var is variable to check
// $v_txt is text-string-name of variable
function property_check($v_var, $v_txt)
{
// initialise checked_OK variable
$v_checked_OK = 'NO';
if ('' == $v_var
OR 'House' == $v_var
OR 'Bungalow' == $v_var
OR 'Bedsit' == $v_var
OR 'Downstairs Flat' == $v_var
OR 'Downstairs Maisonette' == $v_var
OR 'Upstairs Flat' == $v_var
OR 'Upstairs Maisonette' == $v_var
OR 'Y' == $v_var
OR 'N' == $v_var)
$v_checked_OK = 'YES';
if ( 'NO' == $v_checked_OK)
{
echo "<P> There is bad input in your <FONT COLOR='blue'> $v_txt
</FONT> variable <BR>" .
"This is NOT valid input -> <FONT COLOR='red'> $v_var </FONT>
<BR>".
"Program terminating now - Please try again";
exit();
}
} // end of function property_check($v_var, $v_txt)
/*-------------------------------------------------------------*/
// $v_var is variable to check
// $v_txt is text-string-name of variable
function area_check($v_var, $v_txt)
{
// initialise checked_OK variable
$v_checked_OK = 'NO';
if ('' == $v_var
OR 'South Lynn' == $v_var
OR 'North Lynn' == $v_var
OR 'Central' == $v_var
OR 'Marsh Lane' == $v_var
OR 'Gaywood' == $v_var
OR 'Fairstead' == $v_var
OR 'South Wotton' == $v_var
OR 'North Wotton' == $v_var
OR 'Villages' == $v_var
OR 'Y' == $v_var
OR 'N' == $v_var)
$v_checked_OK = 'YES';
if ( 'NO' == $v_checked_OK)
{
echo "<P> There is bad input in your <FONT COLOR='blue'> $v_txt
</FONT> variable <BR>" .
"This is NOT valid input -> <FONT COLOR='red'> $v_var </FONT>
<BR>".
"Program terminating now - Please try again";
exit();
}
} // end of function area_check($v_var, $v_txt)
/*-------------------------------------------------------------*/
You may use these checking functions ENTIRELY AT YOUR OWN RISK!
Kind Regards - Keith Roberts
This email message and accompanying data may contain information that is confidential and/or subject to legal
privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying
of this message or data is prohibited. If you have received this email message in error, please notify us immediately
and erase all copies of this message and attachments.
This email is for your convenience only, you should not rely on any information contained herein for contractual or
legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by
authorised persons.
Current thread:
- Hacking/security in main-stream media, (continued)
- Hacking/security in main-stream media Mike Andrews (Sep 30)
- List of Movies with security emphasis (in reply to: Hacking/security in main-stream media) saphyr (Sep 30)
- Re: Hacking/security in main-stream media Andrew Sledge (Sep 30)
- Re: Hacking/security in main-stream media Jason Merriman (Sep 30)
- Re: Hacking/security in main-stream media Damon Leung (Sep 30)
- Re: Hacking/security in main-stream media Vlado Blaskov (Sep 30)
- RE: XSS, SQL injection etc - permutations of input strings RSnake (Sep 28)
- RE: XSS, SQL injection etc - permutations of input strings Conacher, Chris (Sep 23)
- RE: XSS, SQL injection etc - permutations of input strings Keith Roberts (Sep 27)
- RE: XSS, SQL injection etc - permutations of input strings focus (Sep 29)
- RE: XSS, SQL injection etc - permutations of input strings Michael Silk (Sep 29)
- RE: XSS, SQL injection etc - permutations of input strings Shields, Larry (Sep 30)
- Re: XSS, SQL injection etc - permutations of input strings James Barkley (Sep 30)