XSS help

Discuss the many weaknesses of browser security and ways to mitigate the threat

XSS help

Post by WallShadow on Sat Sep 01, 2012 3:56 pm
([msg=69086]see XSS help[/msg])

I've been playing around with php and web programming lately and purposely made a form vulnerable to non-persistent XSS to try it out. For the most part the XSS works exactly as intended, but when using quotes and double quotes, the quotes and double quotes always come out with a back slash before them. For example:

The page is designed so that entering a , b into the 2 text fields will produce the same page with "Welcome b, a." written on the bottom.

Entering "a" , "b" results in:
Welcome \"b\", \"a\".

Entering 'a' , 'b' results in:
Welcome \'b\', \'a\'.

as a side note, backslash is also anti-escaped, i e:

Entering \a\ , \b\ results in:
Welcome \\b\\, \\a\\


Thus, when entering <script>alert(document.cookie);</script> it works fine, but entering <script>alert("abc");</script> results in an error due to the script becoming <script>alert(\"abc\");</script>

This shouldn't be happening as the code doesn't do any sort of filtering and I have no idea where this is coming from. I would be very grateful if someone can explain why this is happening and if it is possible to actually insert quotes for XSS into it.

Page link for anyone who wants to test it: http://randomsite.net78.net/PHPTesting/ ... esting.php
The site is owned by me and is hosted by a free web-hosting company so feel free to test the page as much as you want.

source code for the page:
Code: Select all
<html>
   
   <body>
      
      <!-- Welcome HTS -->
      
      <p>Please enter the following:</p>
      
      <form action="FormInputTesting.php" method="get">
         First name: <input type="text" name="fname" /> <br />
         Last name: <input type="text" name="lname" /> <br />
         <input type="submit" value="Enter" />
         
      </form>
      
      <p><?
         
         if (($_GET["fname"] != null) and ($_GET["lname"] != null))
         {
            
            echo "Welcome ", $_GET["lname"], ", ", $_GET["fname"], ".";
            
         }
         
      ?></p>
      
   </body>
   
</html>
User avatar
WallShadow
Contributor
Contributor
 
Posts: 594
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: XSS help

Post by jack08642qa on Wed Oct 03, 2012 10:43 pm
([msg=69894]see Re: XSS help[/msg])

due to php's get_magic_quotes_gpc function in the php init file

I recommend disabling this as it is a false sense of security

and to do this add this line to your .htaccess file
Code: Select all
//Turns off magic quotes
php_value magic_quotes_gpc off
jack08642qa
New User
New User
 
Posts: 16
Joined: Wed Oct 03, 2012 10:14 pm
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests

cron