Welcome Guest, Not a member yet? Register   Sign In
Preventing non-persistent XSS attacks
#1

(This post was last modified: 09-23-2021, 01:09 AM by jhob. Edit Reason: added additional steps taken to resolve. )

I have a CI3 application that is vulnerable to non-persistent XSS attacks. 

I'm struggling to work out how I can prevent these, this sort of thing works on any URL that accepts querystring input:

Code:
https://mywebsite.com/search/?search='><svg/onload=confirm(/hacked/)>

I've tried this in the controller method:

PHP Code:
foreach($_GET as $key => $param) {
    
$_GET[$key] = htmlentities($paramENT_QUOTES ENT_HTML5'UTF-8');


But that doesn't work as I think it's executed too late and is only really dealing with the querystring params in the execution the PHP code, not at the front end where it's getting executed.

I'm sure there must be an easy way to prevent this sort of attack but I can't for the life of me work out how.

TIA!
Reply
#2

Use  html_escape() when you display variable data in HTML.
See https://codeigniter.com/userguide3/helpe...eld-values
Reply
#3

(09-23-2021, 01:03 AM)kenjis Wrote: Use  html_escape() when you display variable data in HTML.
See https://codeigniter.com/userguide3/helpe...eld-values

It's not re-displaying the querystring data, the issue I have is that the example shows a popup:

[Image: chrome_bVaU9aB6pS.png]

It's the browser that's executing the code, so I'm not sure that doing anything in PHP can prevent that. I'm wondering if it could somehow detect any malicious content and redirect to a 'safe' url.
Reply
#4

(This post was last modified: 09-23-2021, 05:22 PM by kenjis.)

In controllers:
PHP Code:
foreach($_GET as $key => $param) {
    $_GET[$key] = htmlentities($paramENT_QUOTES ENT_HTML5'UTF-8');


It is a bad practice.
Escape just before outputting.
Because escaping depends on the context (in this case HTML output).

(09-23-2021, 01:24 AM)jhob Wrote: It's the browser that's executing the code, so I'm not sure that doing anything in PHP can prevent that.  I'm wondering if it could somehow detect any malicious content and redirect to a 'safe' url.

If the browser's JavaScript reads the query string in the URL and execute something and you get the popup,
you need to fix the JavaScript code.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB