1

I am creating a very basic iPhone simulator and what I want to do is just have it in one location, and then any site that we have and want to put it on, we would just call it using: http://www.example.com/iphone-test.php?url=http://www.example.com/mobile/

Is there anything I need to look out for that could be un-safe? There is no database involved or anything, but just in case someone wanted to mess around and put some stuff in the URL, what are some things I can do to help make this a little more safe?

Here is my code:

<?php
    if(isset($_GET['url'])) {
        $url = $_GET['url'];
        ?>

        <!doctype html>
        <html lang="en">
            <head>
                <meta charset="utf-8">
                <title>iPhone Test</title>
                <style type="text/css">
                #iphone { 
                    background:url(iPhone.png) no-repeat; 
                    width:368px; height:706px; 
                    position:relative; 
                    overflow:hidden;  
                }
                #iphone iframe {
                    position:absolute; 
                    left:30px; 
                    top:143px; 
                    border:0;overflow:hidden; 
                }
                </style>
            </head>
            <body>
                <div id="iphone">
                <iframe src="<?=$url;?>" width="307" height="443"><p>Your Browser does not support iFrames.</p></iframe>
                </div>
            </body>
        </html>
        <?php
    }
?>

Edit: Thanks for all of your help. I did some research and here is what I have so far:

<?php
include_once 'filter.php';
$filter = new InputFilter();   

if(isset($_GET['url'])) {
if (filter_var($_GET['url'], FILTER_VALIDATE_URL)) {
    $url = $filter->process($_GET['url']);
?>

Source: http://oozman.com/php-tutorials/avoid-cross-site-scripting-attacks-in-php/

Class: http://www.phpclasses.org/browse/file/8941.html

What do you think?

Drew
  • 6,736
  • 17
  • 64
  • 96
  • Well for a start, make sure the URL doesn't start with `javascript:`... And also make sure you have URL encoded the URL at the client side before it is passed into the script. – DaveRandom Sep 13 '11 at 14:32
  • Don't trust the client to encode data to make it safe for the server to insert into a document. – Quentin Sep 13 '11 at 14:36

6 Answers6

4

You should use PHP's filter_var to check it's valid...

    if (isset($_GET['url'])) {
        if (filter_var($_GET['url'], FILTER_VALIDATE_URL)) {
            $url = $_GET['url'];
        }
    }
fire
  • 21,383
  • 17
  • 79
  • 114
3

If this page is accessible for anyone to access then you are opening yourself up to XSS and Phishing redirects. For example, try adding this to your URL params:

?url="></iframe><script>alert(123)</script>

In Firefox 6.02 that fires off the alert. Which means that any JS could be fired and used to redirect users who think they are visiting your site. Or it could be used to steal cookies that are not marked HTTPOnly.

This can be mitigated by encoding for HTML attributes. Which is described here from OWASP:

Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the &#xHH; format (or a named entity if available) to prevent switching out of the attribute. The reason this rule is so broad is that developers frequently leave attributes unquoted. Properly quoted attributes can only be escaped with the corresponding quote. Unquoted attributes can be broken out of with many characters, including [space] % * + , - / ; < = > ^ and |.

Reference: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes

Now, for your other issue that the above will nto address. If you allow just any arbitrary URL to be entered, then there is nothing stopping someone from doing something like this:

?url=http://myevilsite.com/redirect.php

And have that page redirect the user:

window.top.location.href = "http://www.site.com";

The only thing you can do about that is to use a white list of acceptable URLs.

Jason Dean
  • 9,585
  • 27
  • 36
  • Thanks so much. Just updated my answer, how is that? It protected against that url parameter you mentioned. – Drew Sep 13 '11 at 14:55
  • It looks like that library is simply a black-list filter. Black-lists are rarely good enough. It is almost impossible to filter out everything that could cause you trouble. You are better off doing proper encoding of the HTML attribute. Also, that still does not address the issue of iframe parent redirects or simply loading an iframe that could be used for phishing. You really should institute a white-list of allowed URLs – Jason Dean Sep 13 '11 at 15:09
  • Is it possible to check if the site is on my server? If the IP of the site = _____ then it is good to go? – Drew Sep 13 '11 at 15:51
  • Typically I think we would check the host/domain name. It is difficult to determine the IP of a site based a string of the domain. You'd have to figure out a way to ping it. Typically just checking the host/domain is acceptable. And yeah, I would think that kind of white-listing combined with proper encoding (for XSS protection) would work. – Jason Dean Sep 13 '11 at 15:58
  • Actually gethostbyname does it for me! http://php.net/manual/en/function.gethostbyname.php Grabs the IP for the specific domain. – Drew Sep 13 '11 at 17:12
2

The request method does not provide any securiy features, please see this answer

You need to be 100% sure beyond doubt that your code will not hijack that frame with javascript or lead the person to a malicious domain, or lead to a request form on your page that does something they don't want.

You can see some examples out here of that:

<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

<iframe src=http://ha.ckers.org/scriptlet.html"></IFRAME>

You could have the person lead to post something as well...

Anyway, I can steal all your cookies, or trick the user into thinking they're still on your site but really be on mine where I get all their precious information.

Just stop, before you go any further you need to know what your doing, and you start by reading this.

Community
  • 1
  • 1
Incognito
  • 20,537
  • 15
  • 80
  • 120
  • Thank you! Please check my updated answer and let me know what you think. – Drew Sep 13 '11 at 14:56
  • Not overly confident about it, it's not specific to what you're doing. Go learn before you do anything. http://google-gruyere.appspot.com/ – Incognito Sep 13 '11 at 15:05
1

You are vulnerable to cross site scripting.

All someone has to do is include "></iframe><script>EEEEVVvvvillll!!!! in the URL, or use a non-HTTP/HTTPS URI.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Thank you. I just updated my answer whenever you get a chance, does that look like a good solution? – Drew Sep 13 '11 at 14:56
1

Here is a list for the security concerns involved here..

IFrames security summary

Wednesday, 24 October 2007 I’ve decided to collect the various proof of concepts I’ve done and summarise why iframes are a security risk. Here are the top reasons:-

  1. Browser cross domain exploits

Description:- Because you can embed another web site inside your page, you can exploit that page and perform actions as that user and doing anything on a chosen web site.

Proof of concept:- Safari beta 3.03 zero day

  1. XSS/CSRF reflection attacks

Description:- Using iframes embedded onto a compromised site an attacker then can reflect attacks to other servers therefore making attacks difficult to trace and having a focal point to conduct attacks.

Proof of concept:- None available for this type of attack as it would be difficult to show the method without actually conducting an attack.

  1. CSS and iframes can scan your LAN from the internet!

Description:- By exploiting features in CSS and using iframes to check if the default IP address exists, it’s possible to get your network address range quite easily providing the network device uses the default out of the box IP address.

Proof of concept:- CSS LAN scanner

  1. LAN scanning with Javascript and iframes

Description:- Using a similar method as above it is possible to gain your LAN information using Javascript.

Proof of concept:- Javascript LAN scanner

  1. CSS iframe overlays

Description:- Iframes can be embedded inside each other in Firefox and you can alter their appearance to create seamless overlays with any site. This would make it very difficult for a user to know which site they are interacting with and fool them to performing an action.

Proof of concept:- Verisign OpenID exploit (now fixed)

  1. URL redirection

Description:- Iframes also allow you to perform redirection so you can have access to URLs which normally wouldn’t be accessible. In the delicious example, the POC redirects from delicious/home to your account bookmarks and then uses CSS overlays to display your first bookmark. Firefox and a delicious account are required for the POC.

Proof of concept:- Delicious CSS overlay/Redirection

Original here

You could make it a lot safer by acting like a proxy, load up the requested URL in PHP, strip everything out of the HTML (javascript etc) and then display it in the iframe pointed at a webpage on your server

Micky
  • 514
  • 3
  • 19
0

Simply use strip_tags(), to void any evil script entry:

$url = strip_tags($_GET['url'])
SaidbakR
  • 13,303
  • 20
  • 101
  • 195