Security Simplified - Reflected XSS
Vulnerable Code Snippet
echo "Hello " .$_GET['name'];
So basically the code consists of two-line, The first line with the if statement and the second line with the echo statement.
isset() is a function, Which checks whether a variable is empty or not. Also checks whether the variable is set/declared, If the variable is not empty it returns True otherwise false.
$_GETis a PHP superglobal variable that is used to access GET based Parameters from anywhere in the PHP script, As an example, if you are visiting a URL
https://snapsec.co?book.php?id=1, The GET based
idparameter in the URL can be accessed by the book.php by using the following code
echo ""statement is used to echo/print/reflect any values passed within single quotes, This data is written in a response sent to the user.
So in conclusion what we understood from this code snippet is that it checks if the GET Based parameter
nameis set in the URL if its set it prepends “Hello” to the
nameand sends the response to the user.
- On visiting the code snipped via the Browser and passing
nameparameter, It can be seen that the value of the
nameparameter is being reflected to user.
- Now, what happens if the value of the
- On having a closed look at the source code of the page, You can see the reflected value is being treated as an HTML code and gets executed in the browser.
Where is the problem
Now the question is which part of the code snippet is vulnerable, and What makes it vulnerable?
The answer to that is quite simple, The piece of code which is responsible to reflect data to the user is not encoding special characters before sending it to the user, Hence allowing the attacker to achieve XSS, So to be more specific the
echo "" is responsible for the vulnerability.
Mitigating the Issue
In general, the solution is to use different encoding techniques to perform careful input validation and context-sensitive encoding on the user input. For example in this case the
htmlentitie(str) function can be wrapped up to the User input which will Convert the majority of the special characters to HTML entities:
Hence the final code will look like this
echo "Hello " .htmlentities($_GET['name']);
Confirming the FIX
- Ongoing back and trying to inject an image in the name parameter you can see we were not able to inject new HTML code
- This is because all the special characters were properly encoded by
htmlentities()function before sending them to the user.
Snapsec is a team of security experts specialized in providing pentesting and other security services to secure your online assets. We have a specialized testing methodology which ensures indepth testing of your business logic and other latest vulnerabilities.
If you are looking for a team which values your security and ensures that you are fully secure against online security threats, feel free to get in touch with us email@example.com
Thanks and see you soon.