0

I've done quite some research on this but I can't seem to find the EXACT answer to my problem as in what code to put where.

So I'm building a simple website for users to login and play javascript games. The site isn't up and running yet but I got a random email from a stranger saying my site is vulnerable to XSS and sent me a link which redirected to my website. When I got back to my website, an alert came up showing cookies and some other stuff I don't know about. The link is no longer active so I can't show you the script that was added to the input field of the login form.

Is there any way to prevent malicious users from doing this? Here is the code which makes up my login from if it helps.

<form method="post">            
  <p>Login</p>
  <div class="form-group">
  <label for="login" style="float:left">Email or username</label>
  <input class="form-control" name="login" value="<?php echo addslashes($_POST['login']); ?>"/> 
  <label for="loginpassword" style="float:left">Password</label>
  <input class="form-control" type="password" name="loginpassword" value="<?php echo addslashes($_POST['loginpassword']); ?>"/>
  </div>
  <input type="submit" class="btn btn-success btn-lg wrap" name="submit" value="login"/>

  <?php
    if($error) {
      echo '<div class="alert alert-danger" id="errorDiv">'.addslashes($error).'</div>';                
    }   
  ?>    
</form>

From the login.php file:

<?php
    if ($_POST['submit']=="login") 
    {
      $login = mysqli_real_escape_string($connection_info, $_POST['login']);
      $loginpw = $_POST['loginpassword'];

      //check database see if correct login details
      // if not found then $error = "incroorect login details" etc
      // if login details then match assign id from database as session variable for authentication
    }   
?>

Can someone tell me exactly what I need to do avoid XSS for this particular form? From What I've read, it seems more useful to use htmlspecialchars instead of addslashes for the value of the text field but I'm not sure if this will resolve the problem.

Jay
  • 9
  • 8

2 Answers2

0

The concept in any kind of injection is ambiguity between a command and data. When you have a situation where arbitrary data is used in the same place as a command, you have a potential spot for injection.

It applies to XSS as if an attacker can control what's on your web page through crafty usage of inputs, they can add malicious scripts and do whatever they want.

The problem you have is where you're using addslashes(). This is not appropriate for escaping data to be used in the context of HTML. You have text data but you are effectively treating it as HTML because you're injecting it directly into your page. An attacker can push in some $_POST data that will add script tags or whatever to your page.

To fix this, properly escape any and all data used in a different context. In your case, htmlspecialchars() around your variables in HTML is what you want.

You need the same for your $error message as well. Sure, it's unlikely you'll attack your own site, but you want to generate valid HTML right? Don't get surprised when a stray bracket ends up in an error message and breaks your page.

Brad
  • 159,648
  • 54
  • 349
  • 530
0

Never trust anything that comes from a device that you don't control, in this case I'm assuming it's a browser. You must sanitize or otherwise filter all content so that it cannot be executed in the browser when it's returned to it. You also need to also make sure that it cannot be used for SQL injection etc but that's another problem.

You need to read up on XSS as much as you can. This site is very useful...

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Cross-Site Scripting (XSS) attacks occur when:

Data enters a Web application through an untrusted source, most frequently a web request.

The data is included in dynamic content that is sent to a web user without being validated for malicious content.

In your example you have a form that appears to be taking raw POST data and returning it to the user ie

 <input class="form-control" name="login" value="<?php echo addslashes($_POST['login']); ?>"/>

and

<input class="form-control" type="password" name="loginpassword" value="<?php echo addslashes($_POST['loginpassword']); ?>"/>

While sites like stackoverflow can provide a point solution to your problem what you really need is a general understanding of XSS etc.

Community
  • 1
  • 1
Harry
  • 11,298
  • 1
  • 29
  • 43
  • Thanks for your answer. I actually did read that link some time ago along with other info. From my understanding, the addslashes was the issue and i needed to use htmlspecialchars. but i just wanted to be 100% sure that this was the only XSS vulnerability. – Jay Apr 07 '16 at 03:07