All geek questions in one place

Is $ _SERVER ['QUERY_STRING'] safe for XSS?

I need to create a form whose action returns you to the same page - GET parameters are included. I think I can say something like:

echo '<form action="'.$_SERVER['SCRIPT_NAME'].'?'.$_SERVER['QUERY_STRING']. '" method="post">'

This seems to work, and testing the passing of several XSS attacks seems successful, since the output of QUERY_STRING seems to be URL encoded. However , the PHP documentation does not mention this, so I'm not sure I can trust this behavior.

Is it possible to use QUERY_STRING as I am above? If not, what can I do instead? Links to documentation will be appreciated.

Update switched to SCRIPT_NAME, just messed up which one was in order and what was bad in my head, thanks for catching me. action="" does a great job of my specific problem, but I'm still wondering if QUERY_STRING has been pre-processed, so it can be used safely or not, because there are other cases where you can reuse the query string, considering it safe for this.

+4
source share
5 answers

You should not trust $ _SERVER ['QUERY_STRING'] as it can be used for XSS attacks.

In your case, you can use the vulnerability with:

 http://your.server.com/your_script.php?"><script>alert(111);</script>

Please note that the above code works in IE; FireFox and Chrome effectively encode the query string before sending it to the web server.

I would always wrap it in htmlentities (given the double_encode parameter), as with every user input.

Good luck

+7
source

First of all, you cannot trust $ _SERVER ['PHP_SELF'] ( 1 ) - use $ _SERVER ['SCRIPT_NAME'] instead.

As for $ _SERVER ['QUERY_STRING'], you should treat it like any other user input. Filter it before use in your output. In this case, I would not recommend some kind of general filter. It would be better to compile a query string from the specific parts that you expect there.

+1
source

If it is used by XSS, you first need to know which attack. In the code posted here, there is only one simple attack using PHP_SELF.

But, to avoid any problems, you can simply leave the form action blank. This will submit the form to the same page, including the query string.

+1
source

I can’t think of any attacks that could work out of hand, but PHP_SELF itself is vulnerable and you use QUERY_STRING without any filtering, which seems strange.

Why just leave the action parameter blank and allow the browser? You can use Javascript to correctly apply this behavior on the client side if you want to be sure.

0
source

This is another one of those cases where using PHP filter_input is the way to go. My NetBeans IDE (hate it or love it) always complains whenever I open code that accesses $_POST , $_GET , $_SERVER and $_COOKIE directly without passing filter_input .

This is because of the above reasons - you say that you trust external data when, if they can be entered or managed by users, you cannot.

 filter_input(INPUT_POST, 'id', FILTER_SANITIZE_NUMBER_INT); filter_input(INPUT_SERVER, 'QUERY_STRING', FILTER_SANITIZE_STRING); filter_input(INPUT_POST, 'another_field');

More here

0
source

Source: https://habr.com/ru/post/896963/

More articles:


All Articles