-1

Am trying to redirect user to requested_page after login, After googling i tried this code

link to login page

echo "<a href='/login.php?ref=". urlencode($_SERVER['REQUEST_URI']) ."'>login</a>";

and in login.php

    if ($_GET['ref'] != '') {
        $url = $_GET['ref'];
    } else {
        $url = "/";
    }

if ($user->login($username, $password)) {
            $_SESSION['username'] = $username;
            header("location:http://" . $_SERVER['HTTP_HOST'].$url);
            exit();
        }

Above method works fine, But it is vulnerable to XSS

login.php?ref=<script>alert(%27Malicious%20content%27)</script>

so i added htmlspecialchars() like this

    if ($_GET['ref'] != '') {
        $url = htmlspecialchars($_GET['ref']);
    } else {
        $url = "/";
    }

but it is not redirected, rather it shows 404 error

any help how do i protect from XSS attack

sanoj lawrence
  • 951
  • 5
  • 29
  • 69
  • 1
    `echo 'login';` and the redirection part: `header('Location: http://' . $_SERVER['HTTP_HOST'] . $_GET['ref']);` – Roland Starke Jan 30 '20 at 09:55
  • @RolandStarke doesn't work still i see `XSS` script – sanoj lawrence Jan 30 '20 at 10:11
  • The code outputs `login`. Where's the XSS vulnerability there? – Quentin Jan 30 '20 at 10:12
  • when i try `http://localhost:8000/login.php?ref=%3Cscript%3Ealert(%27Malicious%20content%27)%3C/script%3E` i see `alert` this is my problem. – sanoj lawrence Jan 30 '20 at 10:15
  • @Quentin here is the live demo http://www.safebrowser.tk/login?ref=%3Cscript%3Ealert(%27Malicious%20content%27)%3C/script%3E when i try `http://www.safebrowser.tk/login?ref=%3Cscript%3Ealert(%27Malicious%20content%27)%3C/script%3E` – sanoj lawrence Jan 30 '20 at 10:16
  • @sanojlawrence — Here's the code by itself: https://jsbin.com/lubeliwiqa/1/edit?html,output — whatever the vulnerability is, it isn't in the code you supplied. `http://www.safebrowser.tk/login` must have different code. – Quentin Jan 30 '20 at 10:18
  • Yeah. The vulnerability is at `
    Log in with social media account or email
    www.safebrowser.tk ` and nothing to do with the link you have in the question.     – Quentin Jan 30 '20 at 10:20
  • @Quentin yes that is what am asking i want to protect `login.php` `$_GET`. – sanoj lawrence Jan 30 '20 at 10:20
  • You apply protection to **the part of the code which is vulnerable** and not a different part of the code. See also https://stackoverflow.com/questions/3129899/what-are-the-common-defenses-against-xss – Quentin Jan 30 '20 at 10:21
  • @Quentin want to show how i pass `?ref='value'` i link. – sanoj lawrence Jan 30 '20 at 10:21
  • That's not where the code is vulnerable. The code is vulnerable just after the `
    `. You have to fix the code where it is vulnerable.
     – Quentin Jan 30 '20 at 10:23
  • @Quentin so no need to add `htmlspecialchars($_GET['ref']);` the problem is with this part `= $_SERVER['HTTP_HOST'].$url ?>` i just added this for `debugg`. `
    Log in with social media account or email
    = $_SERVER['HTTP_HOST'].$url ?>`     – sanoj lawrence Jan 30 '20 at 10:26
  • 1
    If you've deleted the code with the XSS vulnerability just after the `
    ` then the XSS vulnerability is gone and you don't need to do anything more.
     – Quentin Jan 30 '20 at 10:28

1 Answers1

0

finally solved.

Error was created from debugging code 

if ($_GET['ref'] != '') {
    $url = htmlspecialchars($_GET['ref']);
} else {
    $url = "/";
}

<h6 class="small text-black-50">Log in with social media account or email</h6>
 <?= $_SERVER['HTTP_HOST'].$url ?>

this created a issue 

<?= $_SERVER['HTTP_HOST'].$url ?>

and removed this line and solved.

sanoj lawrence
  • 951
  • 5
  • 29
  • 69