-2

what is the meaning of untrusted data? is it all data that generate dynamically? or just data from user input?

Eko
  • 443
  • 3
  • 15
  • 1
    What's your problem?? –  Dec 25 '14 at 14:56
  • See http://stackoverflow.com/q/129677/3794472 – Jeremiah Winsley Dec 25 '14 at 14:59
  • You better start reading this : http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – salep Dec 25 '14 at 15:00
  • i'm just confuse what is untrusted data? is it only the output that we generate by php or all script in html like "img src=" is part of untrusted data. i just want to prevent my site from XSS attack. – Eko Dec 25 '14 at 15:01
  • XSS and SQL injection is different @salep – Eko Dec 25 '14 at 15:02
  • @JeremiahWinsley i'm not asking how to sanitize, i just asking what is untrusted data and what input or output that can be categorized untrusted data. – Eko Dec 25 '14 at 15:03
  • @Kyo you just want to prevent from `XSS` attack –  Dec 25 '14 at 15:04
  • I know how to validate and sanitize but which input i should validate and sanitize is it all including html to display an images? – Eko Dec 25 '14 at 15:04
  • @Kyo Anything that you cannot personally verify. This includes all user-supplied input, and any data which you retrieve from other sites that you don't control. – Jeremiah Winsley Dec 25 '14 at 15:05
  • @lawrenceoverflow i want to know which input or output i should aware from xss and that called untrusted data. but what is categorized untrusted data? – Eko Dec 25 '14 at 15:06
  • @JeremiahWinsley but i read at OWASP that: directly in a script inside an HTML comment
    in an attribute name in a tag name directly in CSS so if it only user suplied input that script above should be untrusted data right?     – Eko Dec 25 '14 at 15:08
  • @Kyo check my answer below it will protect from `XSS` attack –  Dec 25 '14 at 15:10

3 Answers3

1

Untrustworthy data is any data that can potentially harm your web application. Being automatically generated doesn't automatically make data dangerous.

Generally speaking, if the data comes from somewhere or something you don't trust, then it's untrustworthy.

Usually that means any data that comes from the user land.

The way you should secure data is related to what that data will be used for. For instance, if you wish to store it in a database, then you must ensure it is properly escaped to prevent SQL injection. If the data will be used to exec shell commands, then escapeshellarg and escapeshellcmd is in order.

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.

It can happen If your web app displays unescaped data introduced by users. A simple example would be a blog site which doesn't escape comments from users. Removing HTML entities (such as Script tags, Iframes, etc...) should be enough to prevent this kind of attack.

Tivie
  • 18,864
  • 5
  • 58
  • 77
  • so it mean all file that static like img src=me.jpg is secure right? since it's not generated by input or output? or is still need to be protected? – Eko Dec 25 '14 at 15:16
  • 1
    @Kyo **you better first learn about `PHP`** your still confused about input and output, You have to use prepared statements from PDO –  Dec 25 '14 at 15:19
  • wth, i know input and output, all i want is which input? i know that input is script that we generate to take data from user by a form, and output like echo, printr. it seem only Tivie who know what i mean here. – Eko Dec 25 '14 at 15:21
  • like this script Dashboard is catogorized trusted data or not? is it save or not or we need to filter it? that's what i ask. – Eko Dec 25 '14 at 15:22
  • 1
    You can inject JavaScript in img src attributes in older browsers. – Tivie Dec 25 '14 at 15:27
  • 1
    All examples you gave are safe. However, if there's a script, object, embed, etc tag somewhere then it is not safe. – Tivie Dec 25 '14 at 15:28
  • in my case, IMG SRC=myimages.jpg is save right? since it's not from user by from my server file? – Eko Dec 25 '14 at 15:32
1

Given the already posted answers and comments to this and similar questions here, the answer to your question "what is untrusted data" is simple:

Everything coming from the client, regardless whether via POST, GET, PUT, HEAD, Cookie or whatever else should be regarded as untrusted.

As a matter of fact, all data coming from "the client" must not come from there and can always be crafted for abusing any vulnerability of your server software, whether you are using it or not.

Period.

Axel Amthor
  • 10,980
  • 1
  • 25
  • 44
  • this is the most clearer answer beside Tivie answer. so if that not from user it categorized as trusted data right? i mean if it's from my script like IMG SRC =MYPIC.JPG? – Eko Dec 25 '14 at 15:31
0

You need to use the function like htmlspecialchars() to protect from XSS and output something to the browser that came from the user input.

When you echo your input use it like posted bellow

echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

Google Code University also has some very educational videos on Web Security.

  • so directly in a script inside an HTML comment
    in an attribute name in a tag name is not from static data? it's all from user input and our output print like echo right?     – Eko Dec 25 '14 at 15:10
  • yes OUTPUT means `echo` –  Dec 25 '14 at 15:13
  • so Dashboard is catogorized trusted data or not? – Eko Dec 25 '14 at 15:19
  • can you please post your code so that **people who visit your question** can find what problem you have –  Dec 25 '14 at 15:21
  • please read this so u'll understand what i mean here https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet – Eko Dec 25 '14 at 15:23
  • take a look at this code so are we need to filter all IMG SRC link or just the link that we take from user? – Eko Dec 25 '14 at 15:25
  • @Kyo **Never trust user input** you MUST have certain security for Your site SO use form validator while processing input –  Dec 25 '14 at 15:26
  • why do you need to allow `` these charter in input box –  Dec 25 '14 at 15:28
  • it's not what i mean here, i mean if i display img then attacker or hacker input that kind of code. – Eko Dec 25 '14 at 15:29
  • When You allow user to input data there are many possible ways hacker can attack you –  Dec 25 '14 at 15:33
  • don't ask me, ask hacker. if they can attack google and facebook why they can't just attack a display images? – Eko Dec 25 '14 at 15:34
  • lawrance all you have to do is answer save or not and we can stop argue. i'm the one who confuse here not u. – Eko Dec 25 '14 at 15:36
  • Google and facebook have good validator function and they **never trust user input** they have certain filter to validate user input –  Dec 25 '14 at 15:37
  • yeah i will never trust too, this question is which data i should trust or not. Axel answer is the right one that i want and very clear. – Eko Dec 25 '14 at 15:38