Search the Community
Showing results for tags 'xss'.
Found 4 results
Is there a way to prevent that a malicious person crafts a piece of code that changes the value of an action attribute? Like when you have this line of html: <form method="post" name="register" action="<?php echo $_SERVER['PHP_SELF']; ?>"> but the attacker places the entire script on his own server. Is this XSS? What are the consequences of gaining/finding protected data? If this kind of attack is possible, can someone show with an example how this is done?
In my webpage, I am going allow clients (X)HTML. To avoid XSS, I will use HTML Purifier, and disable the <script> tag (and some other dangerous tags). Yet I would like to enable designers of those (X)HTML to use certain programming-like features, for example displaying a list of items, which would need a for-loop. Then I came up with the idea that : users submit the XSL code, I provide the XML with the data required by the users. As HTML Purifier cannot sanitise XSL code (can it?), my proposed flow would be: [*]User submits a piece of XSL code.[*]In the server, there are some sample data (sample XMLs). PHP is used to do the XSL transform with those sample XML data.[*]Pass the output XHTML to HTML Purifier. If HTML Purifier detects any prohibited elements in the code, stop process and show the errors to user.[*]If it passes HTML Purifier, check it against the W3C validator. (This is just a double check. Outputs from HTML Purifier should be valid.)[*]Save the piece of XSL code into database. Use (include) it whenever needed. Do you think the flow above can assure the final XSL code saved into the database is clean (given that HTML Purifier is perfect)? Another concern is that, (this is the main question here), is it safe to accept arbitrary XSL codes, and perform XSL transform by PHP in the server? Could there be any security holes that some XSS, injection, etc being included in the XSL codes, such that being harmful to the server or the PHP programs? Finally, if there are any other ideas/design to achieve this, any solutions are welcomed! Thanks a lot!
xekon posted a topic in PHPCMS/Forum Session/cookie management and security, picking a good example. I am starting an opensource GPL forum project primarily for the sake of learning. I have been looking at the different implementations for user authentication and session management of different CMS and forum packages.Trying to go through and learn what is being done. Also wondering which makes for the best example of a good clean way to implement it.I would prefer to store the bare minimum cookies client side and keep most data in session variables server side.Unless there is a good reason to have another cookie or two, like if it somehow added additional security. SMF & Drupal makes use of the standard session_start(), and both also use database for session management.(more scalable) phpBB3 also uses the databse for session management, but does not use the standard "session_start()"it uses custom implementation using session_begin() , session_create() , session_kill() , session_gc() I like that Drupal only had the one session cookie, however it takes me much longer to follow the functions and understand what is happening with drupal code.In drupal a lot of things are generated like forms etc, using a single function, this is very clean as it reuses a lot of code, however I would rather learn from something easier to follow.I can always make the code more efficient afterwards. mybb seemed to set more cookies than the rest, and did not make use of the standard session_start(), I am unsure if it uses the db for session management. Right now I think I have it narrowed down to either SMF or PHPBB3, I am kinda leaning toward PHPBB because of a post I found: I read this post: https://www.phpbb.co...49840#p12949840 "Stealing a session id/key is not enough to get logged in. The IP must match to the extent defined in the ACP.Also, the browser user-agent must match (enabled by default). Additionally, you can have it check the x_forwarded_for value." I would think the extra checks like user-agent, IP, x_forwarded_for would help mitigate xss and sesion fixation.phpbb3 key function quotes:"Multiple keys may exist for each user representing different browsers or locations."I am curious if they limited the number of sessions per user, so that a malicious user cant intentionally create Tons of session keys on purpose. SMF may have the same checks, I am unsure. (I do not see IP or x_forwarded_for checks in the 'cookies and Sessions' admin section of smf, but they could be hardcoded.) Any insight or opinions on the subject are appreciated, or if you know of another opensource CMS or Forum that I should take a look at as a good example. at the moment I am leaning towards further studying the phpbb3 implementation and tryint to implement something similar.