1

If i submit an input checkbox or radio or select, that have fixed content, can it be vulnerable from XSS? If yes, how? How to prevent?

4 Answers4

2

XSS can happen when some elements of your page are generated using user-inputted information.

Look at the following snippet:

<input type="checkbox" value="<?php echo $variableContainingUserInput; ?>" />

If your user entered the following string:

" /> <script> window.location = "maliciouswebsite.com"; </script>

The resulting HTML would look like this:

<input type="checkbox" value="" /> <script> window.location = "maliciouswebsite.com"; </script>" />

This would, in fact, redirect the user to the malicious website in question.

In short, ANYTHING that is user-submitted could be dangerous if it ends up on any page of your site.

Here is a similar question on SO.

Uddhav P. Gautam
  • 7,362
  • 3
  • 47
  • 64
Dany Caissy
  • 3,176
  • 15
  • 21
  • I am a bit confused here, could you explain what would a user gain by doing so? I mean if he redirects the page to the malicious website, it is he who is getting affected, correct? – AgentX Dec 01 '15 at 15:42
  • If this gets saved in a database and printed back on the page, other users could also get redirected to the malicious website. – Dany Caissy Dec 02 '15 at 16:21
1

Fixed content or not, that doesn't matter. An "attacker" could change that if he wanted. But... even if it's not changed: everything is vulnerable to XSS if it depends on data sent by the client.

How to prevent it? escape everything!

How to do that... that depends.. you can do that server-side (PHP, etc...) or client-side (javascript). But don't rely on javascript. An attacker could force data not to be spaced or parsed by javascript.

So.... escape server-side

PHP:

$safeData = htmlentities($vulnerableData);
Uddhav P. Gautam
  • 7,362
  • 3
  • 47
  • 64
DevPGSV
  • 191
  • 8
0

If a user can see it they can modify it. Always validate every input.

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
0

There are so many things to cover in preventing XSS. This should cover most things on the scripting side plus if you have sensitive information, you should really use a SSL certificate from a trusted source like Verisign or the ones that are insured. You can get 128 or 256 bit certs, depending on what you're storing. That's just scripting, you also have to make sure you're using the correct db functions to store the data securely.

Also, Check this out when you get a chance its cover most of what you're asking: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

if you need tips on how to go about securing input fields, go through this on top of the SSL Certificate:

Preventing Cross-Site Scripting Attacks

@ref: http://www.sitepoint.com/php-security-cross-site-scripting-attacks-xss/

you can also use form tokens

<?php

$token = md5(time());

$fp = fopen('./tokens.txt', 'a');
fwrite($fp, "$token\n");
fclose($fp);

?>

<form method="POST">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
<input type="text" name="message"><br />

http://phpsec.org/projects/guide/2.html

after you've done all that there's the database storage side. do not use mysql_* functions but use PDO or Prepared Statements.

unixmiah
  • 3,081
  • 1
  • 12
  • 26