>I am searching for a robust and easy way to protect all the PHP sites >against XSS attacks. I would like to see more and better ways ?! It is close to impossible to protect all php scripts from XSS, this is because scripting can be interpreted in so many different ways by browsers. I plan on writting a paper on how to evade script filtering in web applications soon. I hope this stops people from relying on htmlspecialchars() to save them from XSS. This will not protect you from all scripting attacks! Also, you are just sending the inputed values of parameters. What about the names of the parameter (the $key variables)? They could contain potentially dangerous XSS which is often printed to the client. Also, user input (GPC) is not the only tainted data in a script. Any data that comes from an outside source is potientally dangerous. Files, databases, ENV variables, etc.. need to be treated as if it contains the most clever tricks to evade your filtering and protection schemes. XSS, script injection, file writting, etc (any output problem) should all be solved by output filters. Doing input filtering does no good if the string can be manipulated or other values printed to the output from within the script. Best solution I've seen based on the idea Sverre H. Huseby brought up of keeping the tainted (variable - anything that could be changed by an attacker or could hold unsafe data) and safe (static - defined within the script or known to be safe) data seperate and then filtering the possibly tainted data as a whole before output. A universal solution to XSS or almost any security problem is not possible. This is because you need to concider function aswell as security. Being able to not allow [^a-zA-Z0-9] is great, but this limits things severely. I don't think it is a good to be giving programmers the idea that security can be solved by pasting in a few lines of code in their programs. Instead they should be aware of the security issues, and have to come up with dynamic solutions themselves. Make them think, they are programmers after all. >Ok, I'm no PHP guru, but I'd sure like to see this coded in PHP. Anyone >take a stab at it yet? $value = preg_replace("%[^a-zA-Z0-9]%", ' ', $value); Personally, I signed up to this list to get vulnerability devolopment disscussion. I do not know how this thread would ever pass as that. -- please use b0iler ^^at^^ eyeonsecurity.net my smtp is just acting up atm. http://b0iler.eyeonsecurity.net _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 07:01:45 PDT