Preventing non-persistent XSS attacks |
09-23-2021, 12:41 AM
(This post was last modified: 09-23-2021, 01:09 AM by jhob. Edit Reason: added additional steps taken to resolve. )
I have a CI3 application that is vulnerable to non-persistent XSS attacks.
I'm struggling to work out how I can prevent these, this sort of thing works on any URL that accepts querystring input: Code: https://mywebsite.com/search/?search='><svg/onload=confirm(/hacked/)> I've tried this in the controller method: PHP Code: foreach($_GET as $key => $param) { But that doesn't work as I think it's executed too late and is only really dealing with the querystring params in the execution the PHP code, not at the front end where it's getting executed. I'm sure there must be an easy way to prevent this sort of attack but I can't for the life of me work out how. TIA!
Use html_escape() when you display variable data in HTML.
See https://codeigniter.com/userguide3/helpe...eld-values (09-23-2021, 01:03 AM)kenjis Wrote: Use html_escape() when you display variable data in HTML. It's not re-displaying the querystring data, the issue I have is that the example shows a popup: It's the browser that's executing the code, so I'm not sure that doing anything in PHP can prevent that. I'm wondering if it could somehow detect any malicious content and redirect to a 'safe' url.
In controllers:
PHP Code: foreach($_GET as $key => $param) { It is a bad practice. Escape just before outputting. Because escaping depends on the context (in this case HTML output). (09-23-2021, 01:24 AM)jhob Wrote: It's the browser that's executing the code, so I'm not sure that doing anything in PHP can prevent that. I'm wondering if it could somehow detect any malicious content and redirect to a 'safe' url. If the browser's JavaScript reads the query string in the URL and execute something and you get the popup, you need to fix the JavaScript code. |
Welcome Guest, Not a member yet? Register Sign In |