-1

I have done scanning of my PHP code using AppScan Source tool( from HCL Software) and find that there are almost 350 XSS type issues of various patterns.

Wondering what is the good way in PHP to fix them? Most of them are due to html that we echo or add dynamically.

Example line that has XSS in scan is as given below

echo '<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">'
M. Eriksson
  • 13,450
  • 4
  • 29
  • 40
Madhavarao Kulkarni
  • 80
  • 1
  • 8
  • 4
    There's no XSS issues with that line, unless you _don't_ want to output that data as XML? – M. Eriksson Nov 27 '20 at 08:02
  • Your question is not that clear. If I think what you've ment by this than here is your answer. Try updating your question so its better to understand what you are trying to do. – Mark dG Nov 27 '20 at 08:05
  • my scan is indicating that there is XSS issue with the lin @MagnusEriksson – Madhavarao Kulkarni Nov 27 '20 at 10:21
  • The scanner might have complained about the value in `xmlns` since that points to an external source. It's not unheard of that scanning engines mark that as a vulnerability. – M. Eriksson Nov 27 '20 at 15:32

1 Answers1

2

XSS stands for Cross-Site Scripting these are attacks. A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

We want to prevent this from happening. Since you are using PHP this won't be resolved using http://htmlpurifier.org/. You'll have to use another method. What you can try are the following options:

  • Encrypt your values inside the echo statement.
  • Your application code should never output data received as input directly to the browser without checking it for malicious code.

These are simple steps to prevent an XSS attack from happening:

  1. Train and maintain awareness.
  • To keep your web application safe, everyone involved in building the web application must be aware of the risks associated with XSS vulnerabilities. You should provide suitable security training to all your developers, QA staff, DevOps, and SysAdmins. You can start by referring them to this page.
  1. Don’t trust any user input.
  • Treat all user input as untrusted. Any user input that is used as part of HTML output introduces a risk of an XSS. Treat input from authenticated and/or internal users the same way that you treat public input.
  1. Use escaping/encoding.
  • Use an appropriate escaping/encoding technique depending on where user input is to be used: HTML escape, JavaScript escape, CSS escape, URL escape, etc. Use existing libraries for escaping, don’t write your own unless absolutely necessary.
  1. Sanitize HTML.
  • If the user input needs to contain HTML, you can’t escape/encode it because it would break valid tags. In such cases, use a trusted and verified library to parse and clean HTML. Choose the library depending on your development language, for example, HtmlSanitizer for .NET or SanitizeHelper for Ruby on Rails.
  1. Set the HttpOnly flag.
  • To mitigate the consequences of a possible XSS vulnerability, set the HttpOnly flag for cookies. If you do, such cookies will not be accessible via client-side JavaScript.
  1. Use a Content Security Policy.
  • To mitigate the consequences of a possible XSS vulnerability, also use a Content Security Policy (CSP). CSP is an HTTP response header that lets you declare the dynamic resources that are allowed to load depending on the request source.
  1. Scan regularly (with Acunetix).
  • XSS vulnerabilities may be introduced by your developers or through external libraries/modules/software. You should regularly scan your web applications using a web vulnerability scanner such as Acunetix. If you use Jenkins, you should install the Acunetix plugin to automatically scan every build.

I'll include two short examples of encoding in PHP here: You could try the htmlspecialchars I suggested to you earlier. I'll give an example with the line of code you gave is on your question.

echo '<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">'

Would be changed to:

echo htmlspecialchars('<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">', ENT_QUOTES, 'UTF-8');

You could also use a html encoder and place this inside an echo for example:

echo "&lt;OpenSearchDescription xmlns=&quot;http://a9.com/-/spec/opensearch/1.1/&quot; xmlns:moz=&quot;http://www.mozilla.org/2006/browser/search/&quot;&gt;"

These all give the output: <OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">.

Here is a short explantion about what XSS does. In a Cross-site Scripting attack (XSS), the attacker uses your vulnerable web page to deliver malicious JavaScript to your user. The user’s browser executes this malicious JavaScript on the user’s computer. Note that about one in three websites is vulnerable to Cross-site scripting.

Google Code University also has these very educational videos on Web Security:

EDIT: This website may also help you. http://htmlpurifier.org/ <- this rewrites your code. As said in a review by IRIS: "I'd just like to say we use HTML Purifier in IRIS for filtering emails against XSS attacks and we've been more than impressed.". Take a look into it, it might help you out.

Mark dG
  • 321
  • 1
  • 13
  • 1
    I'll delete my older one and update this more recent version. Sorry for possible confusion. – Mark dG Nov 27 '20 at 15:52
  • I tried echo htmlspecialchars('', ENT_QUOTES, 'UTF-8'); and found after scanning again i got same issue reported in the scan report. Then changed to echo "<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">" and found the scan resulted into zero issues. That means by using function i can definately protect on dynamic site but for static i should convert and use – Madhavarao Kulkarni Nov 28 '20 at 14:42
  • Glad it helped, you could just use an html encoder online like: https://www.convertstring.com/nl/EncodeDecode/HtmlEncode to encode your strings. – Mark dG Nov 28 '20 at 22:44
  • after all changes now my web page is displaying all html chars than actual content. Dont know if any other ways to solve that. – Madhavarao Kulkarni Nov 29 '20 at 12:58
  • 1
    I had the same issue when helping when helping you out. What you need to do is just remove the first few and last few characters. You only need the `<` and the `">` parts on the end. – Mark dG Nov 29 '20 at 15:45