Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

XSS attack to bypass htmlspecialchars() function in value attribute

Tags:

Let's say we have this form, and the possible part for a user to inject malicious code is this below

... <input type=text name=username value=        <?php echo htmlspecialchars($_POST['username']); ?>> ... 

We can't simply put a tag, or a javascript:alert(); call, because value will be interpreted as a string, and htmlspecialchars filters out the <,>,',", so We can't close off the value with quotations.

We can use String.fromCode(.....) to get around the quotes, but I still unable to get a simple alert box to pop up.

Any ideas?

like image 223
Setzer Avatar asked May 24 '10 02:05

Setzer


People also ask

Is Htmlspecialchars enough to prevent XSS?

htmlspecialchars() is enough to prevent document-creation-time HTML injection with the limitations you state (ie no injection into tag content/unquoted attribute). However there are other kinds of injection that can lead to XSS and: There are no <script> tags in the document.

What is the purpose of the Htmlspecialchars () function?

The htmlspecialchars() function converts some predefined characters to HTML entities.

When should I use Htmlspecialchars?

You use htmlspecialchars EVERY time you output content within HTML, so it is interpreted as content and not HTML. If you allow content to be treated as HTML, you have just opened the door to bugs at a minimum, and total XSS hacks at worst.


2 Answers

Also, it's important to mention that allowing people to inject HTML or JavaScript into your page (and not your datasource) carries no inherent security risk itself. There already exist browser extensions that allow you to modify the DOM and scripts on web pages, but since it's only client-side, they're the only ones that will know.

Where XSS becomes a problem is when people a) use it to bypass client-side validation or input filtering or b) when people use it to manipulate input fields (for example, changing the values of OPTION tags in an ACL to grant them permissions they shouldn't have). The ONLY way to prevent against these attacks is to sanitize and validate input on the server-side instead of, or in addition to, client-side validation.

For sanitizing HTML out of input, htmlspecialchars is perfectly adequate unless you WANT to allow certain tags, in which case you can use a library like HTMLPurifier. If you're placing user input in HREF, ONCLICK, or any attribute that allows scripting, you're just asking for trouble.

EDIT: Looking at your code, it looks like you aren't quoting your attributes! That's pretty silly. If someone put their username as:

john onclick="alert('hacking your megabits!1')" 

Then your script would parse as:

<input type=text name=username value=john onclick="alert('hacking your megabits!1')"> 

ALWAYS use quotes around attributes. Even if they aren't user-inputted, it's a good habit to get into.

<input type="text" name="username" value="<?php echo htmlspecialchars($_POST['username']); ?>"> 
like image 63
Daniel Avatar answered Sep 20 '22 08:09

Daniel


There's one way. You aren't passing htmlspecialchars() the third encoding parameter or checking encoding correctly, so:

$source = '<script>alert("xss")</script>'; $source = mb_convert_encoding($source, 'UTF-7'); $source = htmlspecialchars($source); //defaults to ISO-8859-1 header('Content-Type: text/html;charset=UTF-7'); echo '<html><head>' . $source . '</head></html>'; 

Only works if you can a) set the page to output UTF-7 or b) trick the page into doing so (e.g. iframe on a page without a clear charset set). The solution is to ensure all input is of the correct encoding, and that the expected encoding is correctly set on htmlspecialchars().

How it works? In UTF-7, <>" chars have different code points than UTF-8/ISO/ASCII so they are not escaped unless convert the output to UTF-8 for assurance (see iconv extension).

like image 34
padraicb Avatar answered Sep 17 '22 08:09

padraicb