I m getting a vulnerability alert from Mcafee Secure saying that there is an XSS vulnerability on my site. The string they use to produce it is:
I can t get the alert to display when submitting the URL, but McAfee swears it is a real vulnerability.
What s the best way to address that problem? I was thinking about using apache mod_rewrite to just rewrite all urls that contain the script tag. That said, I couldn t figure out how to write the expression to identify the tag.
It turns out that I had the following code that was echoing the URL inside the page.
<?
if($_SERVER[ HTTPS ]){
?>
<link rel="canonical" href="<? echo HTTP_SERVER.$_SERVER[ REQUEST_URI ]; ?>" />
<?
}
?>
I had forgotten to put htmlentities() around the request_uri. The following fixed it:
<?
if($_SERVER[ HTTPS ]){
?>
<link rel="canonical" href="<? echo htmlentities(HTTP_SERVER.$_SERVER[ REQUEST_URI ]); ?>" />
<?
}
?>
Your proposed solution - prevent the script tag - is the obvious, niave, and incorrect solution to resolving cross site scripting problems. Please read the XSS FAQ by CGI Security ( http://www.cgisecurity.com/articles/xss-faq.shtml ). They do an excellent job explaining how XS works and how to prevent it - and you really need to understand it before you can properly fix it.
You can use UrlEncode and UrlDecode method to achieve that. You can google more about these items. Here is a link which will help you http://php.net/manual/en/function.urlencode.php
Instead of tying to filter attack attempts, just make sure you always properly escape user input in your HTML. A query parameter is user input.
You do need to see how the inputs propagate, and escape right before display.
One thing to remember is that the escaping is different depending on the context it s displayed in. Some tips I finds useful:
function filter_url($url)
{
if (is_array($url))
{
foreach ($url as $key => $value)
{
// recurssion
$url[$key] = filter_url($value);
}
return $url;
}
else
{
// remove everything except for a-ZA-Z0-9_.-&=
$url = preg_replace( /[^a-ZA-Z0-9_.-&=]/ , , $url);
return $url;
}
}
Now you can filter the $_GET like this:
$_GET = filter_url($_GET);
This will wipe out everything except for a-ZA-Z0-9_.-&= Of course you can enhance that function as per your needs.
I m getting a vulnerability alert from Mcafee Secure saying that there is an XSS vulnerability on my site. The string they use to produce it is: https://www.mywebsite.com/%3E%22%3E%3Cscript%3Ealert%...
I am looking for damn good open source XSS prevention script to implement in my php mvc framework. Any ideas?
I need to know if there is any way of writing additional code to JavaScript files already deployed on the server. I am facing a problem with an ASP.NET 2.0 website and it is related to the ...
I m currently in the process of writing my first Rails app. I m writing a simple blog app that will allow users to comment on posts. I m pretty new to Rails, so I m looking for a bit of guidance on ...
Note: I m using Zend Framework, but I think most of this applies to PHP coding in general. I m trying to choose a strategy for writing views scripts, possibly with the help of a templating engine. ...
I m building a webpart for a Sharepoint site that allows the user to enter information into a textbox that will eventually be showed to other users. The problem is that I need to allow simple ...
Anyone know if jsbin.com implements any protection for XSS or other javascript attacks? I see jsbin links used fairly regularly on sites like this one and I can t find any indication from the site ...
We got a long-running website where XSS lurks. The problem comes from that some developers directly - without using HtmlEncode/Decode() - retrieve Request["sth"] to do the process, putting on the web. ...