This post is going to talk about source code reviewing PHP and demonstrate how a relatively small chunk of code can cause you lots of problems.
The Code
In this article we are going to analyze the code displayed below. The code displayed below might seem innocent for some , but obviously is not. We are going to assume that is used by some web site to post the user comments securely.
If you look carefully the code you will se that the code is vulnerable to the following issue: Stored XSS!!<?php require_once 'common.php'; validateMySession(); ?> <html> <head> <title>User Posts</title> </head> <body> <h1>Showing current posts</h1> <form action='awsomePosts.php'><p>MySearch: <input type='text' value='<?php if (isset($_GET['search'])) echo htmlentities($_GET['search'])?>'></p> <p><input type='submit' value='MySearch'></p></form> <?php showAwsomePosts();?> </body></html>
Think this is not accurate , think better.
The Stored XSS
An adversary would need to have very good knowledge of encoding/XSS attacks to exploit this vulnerability. This vulnerability is based on a well known UTF-‐7 encoding attack that is considered to be old. Other filter bypassing techniques can be used to bypass htmlentities such as JavaScript events.
Vulnerable Code:
1: <p>MySearch: <input type='text' value='<?php if (isset($_GET['search'])) echo htmlentities($_GET['search'])?>'></p>// Vulnerable to XSS UTF-‐7 attack
The page that the potential XSS resides on doesn't provide a page charset header (e.g. header('Content-‐
Type: text/html; charset=UTF-‐8'); or <HEAD><META HTTP-‐EQUIV="CONTENT-‐TYPE"
CONTENT="text/html; charset=UTF-‐8">), any browser that is set to UTF-‐7 encoding can be exploited
with the following XSS input (she don't need the charset statement if the user's browser is set to auto-‐
detect and there is no overriding content-‐types on the page in Internet Explorer and Netscape
rendering engine mode). This does not work in any modern browser without changing the encoding
type.
Example1 UTF-‐7 Encoding
Example1 UTF-‐7 Encoding
Input Payload :
1: <script>alert(1)</script>
1: +ADw-‐script+AD4-‐alert('XSS')+ADw-‐/script+AD4APA-‐/vulnerable+AD4-‐
Example2 JavaScript Events
Injecting also JavaScript events to the htmlentities function of php will also by pass the filter.
The code before injection:
1<p>MySearch: <input type='text' value='<?php if (isset($_GET['search'])) echo htmlentities($_GET['search'])?>'></p>
The code after injection:
<p>MySearch: <input type='text' value='onerror='alert(String.fromCharCode(88, 83, 83))'></p>
Note: This example needs further testing to see if it is applicable.
Remedial Code:
Provide Server Side filters for the vulnerability. Make use of regular expressions and html encode the variables whether displayed back to the user or not.
1st Layer of defense
Remedial Code:
Provide Server Side filters for the vulnerability. Make use of regular expressions and html encode the variables whether displayed back to the user or not.
1st Layer of defense
1: //XSS filter the value because this value might be printed later on back in the user. if preg_match ("/[a-‐zA-‐Z]+/", "", $search){
2: showPosts();
3: }
2nd Layer of defense
1: header('Content-‐Type: text/html; charset=UTF-‐8');
2: // This function will convert both double and single quotes. mb_convert_encoding($search, 'UTF-‐8');
Countermeasures Summarized
-
Specify charset clearly (HTTP header is recommended)
-
Don't place the text attacker can control before <meta>
-
Specify recognizable charset name by browser.
-
Apply regular expressions based on the white list mentality.
References:
1. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#UTF-‐7_encoding
2. http://php.net/manual/en/function.mb-‐convert-‐encoding.php
3. http://shiflett.org/blog/2005/dec/google-‐xss-‐example
4. http://www.motobit.com/util/charset-‐codepage-‐conversion.asp
5. http://openmya.hacker.jp/hasegawa/security/utf7cs.html
6. http://wiremask.eu/?p=tutorials&id=10
