PHP Specific XSS

adam98150 · 29 Oct 2014 at 19:32

Having real trouble understanding this. I'm explaining and giving examples of cross site scripting but I'm being quite general I think. I have to try and relate it as much as possible to PHP. Now, you write PHP and the browser effectively converts this to HTML.

If I were to put <script>alert("hacked")</script> into a search form, I might, if the web application doesn't filter for malicious code, get an alert box that says "hacked".

Now, as far as I'm aware this is a persistent xss attack. But how would this affect the PHP? I know it's the browser that initiates the code. Just a little bit lost I think.

A point in the right direction would be greatly appreciated. And please forgive me, coding is not really my thing.

And hopefully this is ok, if not please remove!

JimAroo · 29 Oct 2014 at 20:19

I don't know what you mean by PHP specific XSS, XSS is not PHP specific at all.. Python, Ruby and PHP are all capable if not handled correctly to bring on these sorts of exploits.

It is the JavaScript that causes the real damage when it comes to XSS.

Regarding persistent and non-persistent attacks, the non-persistent attacks have to somehow manipulate the user to click the link, searches are common for these sorts of attacks. The other method affects everyone, a good example is say a shout box.. an attacker may embed a 1x1 iframe containing malicious code along with a message, to the user it looks exactly how they expect and most have no idea a third party script is being executed.

A rule i always stick to when it comes to PHP: filter input, escape output.

It helps to treat every user as a bad egg.

I'm not very good at explaining things but hopefully that steers you in the right direction.

adam98150 · 29 Oct 2014 at 20:38

Thanks Jim. Big help. With my search box example above. That would be persistent right? Because the data input would be appended to the server. Whereas non-persistent is temporary and not stored on the server?

There's lots of misinformation on the web. Some say my example is persistent others say non-persistent.

Basically I have to connect cross site scripting to flaws found in PHP/mySQL. If that makes sense? I'm not great at explaining things too I'm afraid.

Currently talking about circumventing attacks when the register_globals directive is turned on in php.ini. Initializing variables and what not.

JimAroo · 29 Oct 2014 at 21:50

adam98150 said:
With my search box example above. That would be persistent right? Because the data input would be appended to the server. Whereas non-persistent is temporary and not stored on the server?

That would be non-persistent, as each search is individual to each user and is only visible to them. To be exploited a user has to click a link to access the page with the modified search HTTP query parameters.

http://en.wikipedia.org/wiki/Cross-site_scripting#Non-persistent

You should never rely on register globals, instead manually escape stuff with either htmlentities or htmlspecialchars.

planty · 29 Oct 2014 at 22:05

Not really sure what you're trying to get at, but I've always found owasp to be the best resource for web security stuff: https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

adam98150 · 29 Oct 2014 at 22:36

JimAroo said:
That would be non-persistent, as each search is individual to each user and is only visible to them. To be exploited a user has to click a link to access the page with the modified search HTTP query parameters.

http://en.wikipedia.org/wiki/Cross-site_scripting#Non-persistent

You should never rely on register globals, instead manually escape stuff with either htmlentities or htmlspecialchars.

Thanks again. Think I will amend a few things. Very confusing trying to get your head around it when it's your first time researching.

planty said:
Not really sure what you're trying to get at, but I've always found owasp to be the best resource for web security stuff: https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

In all honesty, I'm not quite sure TBH. I'm writing about XSS and trying to make it as relevent to PHP as possible. But it's all PHP right? Thanks for the resource, will check it out tomorrow when I have more energy.

planty · 29 Oct 2014 at 23:03

Well XSS is just an attack that a server might be vulnerable to. The principles of defending against XSS attacks are the same if the server is written in PHP or not - validate and escape all input and output.

kaku · 30 Oct 2014 at 00:33

General rule: if it's user input, you should always check it is what it's supposed to be. Validate what you're using before you use it.