Help - trying to prevent java script URL redirect

whodafunk · 16-12-2015 11:58pm #1

Hi All,

Firstly apologies if this is posted in the wrong section.

For the purpose of a project assignment I have basically created a very basic website locally hosted. I have a guestbook which I am demonstrating how Cross Site Scripting (XSS) vulnerabilities can be demo'd. So basically I inject the below java script into the message part of the guestbook and leave a name. Once messages within the Guestbook are viewed you are redirected to www.owasp.org

<script type=\"text/javascript\"> window.open(\http://www.owasp.org", \"_self);
</script>

So my question is how would I prevent the redirect for the purpose of securing the application? I have read about scripts_tags function in PHP. I have a PHP page created for use with the Guestbook so just looking to see how I could prevent the redirect?

Cheers in advance

fcrossen · 17-12-2015 10:01am

You need to escape the output to the browser. Check out the htmlspecialchars() and htmlentities() functions.

Talisman · 17-12-2015 10:57am

You should never store untrusted input directly, at the very least it should be HTML escaped.

Bad characters : & < > " ' /

They should be replaced as follows:

& : &amp;
< : &lt;
> : &gt;
" : &quot;
' : &#x27;
/ : &#x2F;

Your dodgy string becomes harmless. By escaping the input you don't have to worry about the output.

whodafunk · 17-12-2015 12:34pm

Thanks guys for the replies. So I have a basic html page for the guestbook which calls a php file when the end user enters a name and message into the guestbook - it enters the name and message into a MySQL DB. I also have another PHP file which is used for displaying the messages within the guestbook - connects to MySQL DB and displays, runs a query and displays the results.

Any ideas how I might incorporate the html specialchars into the php file? Extract from php file below.

Cheers

<?php
$name = $_POST;
$message = $_POST;

// connect to MySQL
$conn = @mysql_connect ( "localhost", "root", "")
or die (mysql_error());

// select the database
$rs = @mysql_select_db ( "guestbookfix", $conn ) or die (mysql_error());

//Create the query
$sql = "INSERT INTO message(guestName, msg) VALUES ('$name','$message')";

// execute the query
$rs = mysql_query( $sql, $conn ) or die (mysql_error());
?>

<p>Message successfully saved.</p>
<p>Click <a href="guestbook.html">here</a> to return to Guestbook.</p>

Graham · 17-12-2015 12:47pm

Be careful not to leave yourself open to SQL injections. Have a look at 'prepared statements':

http://culttt.com/2012/09/24/prevent-php-sql-injection-with-pdo-prepared-statements/

whodafunk · 17-12-2015 12:58pm

Graham wrote: »

Be careful not to leave yourself open to SQL injections. Have a look at 'prepared statements':

http://culttt.com/2012/09/24/prevent-php-sql-injection-with-pdo-prepared-statements/

Thanks for the tip. I have looked at SQL injection prevention.

fcrossen · 17-12-2015 1:08pm

+1 for the pointer to SQL injection...

However it is a bad idea to store html escaped data in the DB. What if you want to use the data for print? SMS? You would then need to unescape the data before using it.

Instead store the plain text and escape the data before sending to the browser. Use your own class or function to prevent lots of repeated/redundant code.

whodafunk · 17-12-2015 3:23pm

Sorry just to say this is all ran locally for the purpose of testing/demonstrating vulnerabilities to web applications. Cheers

Talisman · 17-12-2015 10:47pm

fcrossen wrote: »

However it is a bad idea to store html escaped data in the DB. What if you want to use the data for print? SMS? You would then need to unescape the data before using it.

Instead store the plain text and escape the data before sending to the browser. Use your own class or function to prevent lots of repeated/redundant code.

Best practise is to scrub the data before you store it. The data is only going to be written once but will be read many times.

Your 'what if' scenario is an exception case rather than the common use case. If you want to reverse the escaping process it's a simple task.

whodafunk · 22-12-2015 10:02am

Hi All,

Could anyone make a stab at using the htmlspecialchars function for anything entered into the message field??

As an example when I put the following into the message field it redirects me to the URL.

<script type=\"text/javascript\"> window.open(\"http://www.owasp.org",\"_self");
</script>

If I could avoid the URL redirect that would be good enough. Would really appreciate any help on this.

Thank You

whodafunk · 22-12-2015 11:37am

Found this link so cold anybody help piece it together?

http://www.w3schools.com/php/php_form_validation.asp

Cheers

Banta · 22-12-2015 1:05pm

Have you looked at using mysql_real_escape_string? (or mysqli_real_escape_string depending on what version of PHP you're running - recommended).

$name = mysql_real_escape_string($_POST);
$message = mysql_real_escape_string($_POST);

http://php.net/manual/en/function.mysql-real-escape-string.php

fcrossen · 22-12-2015 2:07pm

You have two things going on here...

1) Browser security.

Some characters (e.g. "<" and "&") have special meaning in HTML.

If you have a form posted with a 'firstname' post variable and you want to display it in a browser window you must escape special HTML characters. For example:

[HTML]<input type="text" name="firstname" value="<?php echo htmlspecialchars($_POST) ?>" />[/HTML]This has nothing to do with SQL security

2) SQL security

Some characters (e.g. "'") have special meaning in SQL.

If you are inserting in the database, you must SQL escape. For example:

UPDATE `users` set 'firstname' = '<?php echo mysqli_real_escape_string($_POST['firstname']) ?>' WHERE user_id = '100'

The set of unsafe characters in SQL is not the same as the set of unsafe characters in HTML.

Help - trying to prevent java script URL redirect

Comments