Nowadays, Cross Site Scripting (XSS) attacking is very popular. Many web application developers trying hard to use different kinds of methods to prevent XSS attack. In many web applications, there are many text area for user to input their thoughts or comments and post it on the thread. This kind of text area is a very useful tool for performing XSS attack. There are some ways to prevent the attack in these text areas. In forum applications (eg. phpBB, Discuz!), they developed their own markup language which is used in these areas (eg. BBcode); In most small applications, programmers always try to remove those HTML tags in order to allow only plain text submission.
Consider the second approach, applications written in PHP always use strip_tags() to remove the HTML tags, or htmlentities() to keep the plain text version of users evil ‘thoughts’. Currently, htmlentities() can only be exploited by buffer overflow, I don’t know any skills that can bypass htmlentities() and perform XSS attack in the applications. Should you know about this, please feel free to let me know. Fortunately, if the developers use strip_tags() in their applications, sometimes we can bypass the strip_tags() and get our evil scripts run. Take the following code as an example.
<?php
$userid = $_REQUEST["userid"];
$passwd = $_REQUEST["passwd"];
$userid = strip_tags($userid);
// ...
?>
<!-- ... -->
<?php
echo "<form action=\"evil.php\" method=\"get\">";
echo "<input type=\"text\" name=\"userid\" value=\"".$userid."\" />";
echo "<input type=\"password\" name=\"passwd\" />";
echo "<input type=\"submit\" name=\"submit\" value=\"Login\" />";
echo "</form>";
?>
<!-- ... -->
Some of you may immediately discover the vulnerability with this code segment. For those of you who don’t come up an idea immediately, let’s first read the description of strip_tags() from PHP doc.
string strip_tags ( string $strĀ [, string $allowable_tagsĀ ] )
This function tries to return a string with all HTML and PHP tags stripped from a given str . It uses the same tag stripping state machine as the fgetss() function.
From the description, we know that the strip_tags() function only remove HTML tags from the input string $str, and return the string without any tags that is not allowable. You may think that it is safe enough for keep hackers away from your applications, however it is not the way. I have to mention that inside the HTML tags, we can add some event handler to them, eg. in <input> tag, we can add an event handler when the input tag is being focused (onfocus=”…”). There are some more event handlers, you can google it with keywords “javascript event handler” (without quote). If we can add any kind of event handlers in above code segment, everything is done because the event handler can execute javascript! Now, we are only one step away from the attack, how can we add an onfocus event handler to the code? The developer actually give us a hand to add the event handler, because he use a double quote to quote the string $userid. Why I say so, consider the input string as following (with quote).
” onfocus=alert(123); “
When you are clicking on the input text, a dialog will pop up. We got it! You can now exploit this vulnerability. However, some of you may wondering, instead of using strip_tags(), what can we use to prevent XSS attack, or prevent user to use HTML tags? Currently, I think the easiest way is to use htmlentities(), all characters which have HTML character entity equivalents are translated into these entities by using htmlentities() function.
A demonstration will be uploaded later, currently I am seeking for a good web hosting company, any suggestions? I would like to have almost full access on the machine.
Should you have any interesting experience or thoughts want to share, please do not hesitate to share with me.
Reference:
- PHP strip_tags not a complete protection against XSS
- The technique is proposed by .mario, a post from sla.ckers.org
Filed under: webapp sec , PHP, XSS
