.
This perl script saves user input in a shared file (this can be from any user on the web).
The link 'Show me the strings' executes xssShowStrings.php
this reads the contents of the shared file (with web users saved strings) and displays them.
Unfortunately, Some bad strings (0-6)
will be interpreted by browsers as html (and javascript).
To sum up, a user that saves strings like 0-6 will cause other users
to view html or worse, execute javascript. Remember, the intention was that the user
views the verbatim text saved in the shared file.
What are cookies and what does this have to do with it?
xssSetSecret.php.
This script causes a cookie (attribute/value pair) to be set on the browser.
In particular, the cookie will be called secret with value equal
to whatever the user submits. Each time the browser visits a webpage
within this website, the browser will return the attribute/value pair
to the website.
This interaction is like obtaining a membership card from a club
Each time you visit the club, you show your membership card.
When the browser now visits the 'Show me my secret' the browser automatically
sends the cookie (shows the membership card). This link executes
xssShowSecret.php
which simply echoes back the cookie the browser sent.
In class, I used the above form to set a cookie on my browser and to view the set cookie.
What if others can send you strings?
At this point we had a cookie set on the browser. This cookie was sent back
to any application on the website (including the xssSaveString.pl script!!).
Preventing XSS
- Know your inputs: Define clearly the type of input you expect from the user, (ie [a-z, A-z, 0-9, ]) and reject the rest.
This is whitelisting. Your 'good' inputs should not include anything that can be misinterpreted
by a browser.
- An alternative is to escape all input from the user. This is still dangerous.
as you must be aware of the ways other browsers interpret escaped
characters. See htmlspecialchars and htmlentities in PHP.