XSS should you care?

7th Jan 2007 ¥åßßå

Paranoia has its place

XSS is one of those geeky terms that you see floating round the net, usually accompanied by some innocuous example where they point you at a link to a 3rd party website and make a javascript alert() pop up saying 'XSS!'....... not very impressive huh? I mean, what use is a simple alert()? It couldn't possibly harm your website right?

WRONG!!!!! That innocuous little box is one of the worst thing that you could see on your site, especially if you have any form of membership, customers or database. If you see that then it means that you've just unlocked your door and left it wide open. It means that you've just failed misserably at the most basic rules of coding. NEVER TRUST INPUT and NEVER OUTPUT UNSANITISED INPUT

Connection details

Host: everyones

Username: muppet

Password: available

Now we all know, or we should all know, that you should never just shove information straight from $_GET/POST into a database ... hell, it's one of the quickest ways to unlock your database to the world, you might as well just put your connection details on your front page in <h1> tags. The very least you should do is escape the string, but that really isn't enough. Every single piece of data that your website uses should be verified against the type and contents that it allows. If you're asking for an ID make sure it's a number (sounds obvious, but you'd be amazed). Asking for a date? Either make sure she's hot or check the input is actually a date huh? A string? Only allow the characters you expect (and still escape it :|). However, you shouldn't just be doing this if you're going to shove the data into a database, you should always do it, even if you're only echoing the values to the screen

Still unsure what that little box means? How about if instead of the box popping up the link called a malicious javascript file? What could happen then? For starters all of your cookies are available to the javascript, so if you're daft enough to store a username/password in them then it's just been hijacked, and if you're the admin that means the code now knows your login for the site and it's VERY simple for it to “call home” and pass these details on. Or it could incorporate a keylogger and watch everything you do ... pretty scary if you're entering your credit card details huh?

Yeah, but I never store the actual details in the cookies, I encrypt them! ” ..... that's really great ..... unfortunately as far as your code is concerned the javascript is your user and can easily make requests on that users behalf, either with something as simple as an image call or full blown ajax requests .... either way you're still screwed.

Yeah, but it only happens to crap coders who write shitty little websites that no one will use right? ” ..... urm, guess again ..... I spent the the last few days trawling round the web reading up on this and eventually ended up on this thread on sla.ckers.org which has a list full of some of the biggest names on the web, including several .gov websites! At the time the thread was 34 pages long and growing daily.

Yeah, but I filter out javascript from all inputs! ” ..... excellent ..... so did myspace.com and they got brought to their knees by the Sammy worm which was written in javascript.

Now, the boys at b2evolution are pretty hot when it comes to sanitising input and output, but that only works if you use their functions ( param() is there for a reason ;) ) and if you code a plugin/hack that doesn't use them then you really need to make damn sure that you do your own checks/sanitisation. This is especially true if you're going to make your plugin a public release because then it's not just your blog that you've unlocked the door of, it's every blog that installs your plugin/hack.

If you want to read more about this then try some of the following links, there's a good deal of information about this and other security problems, including ways of blocking these holes :-
Full Disclosure - sla.ckers.org (highly recomended if you like horror stories)
PHP and Web Application Security - shiflett.org
Nitesh Dhanjani - dhanjani.com
PHP: Security - Manual - php.net

The moral of this story is very simple “ In God you trust ... just sanitise His input first ” ;)

If anyone from sla.ckers.org happens to read this post, I'd like to thank you for your full disclosure forum. It certainly was an eyeopener!





Recent comments