3

I have been searching everywhere to try and find a solution to this. I have recently been running scans on our websites to find any vulnerabilities to XSS and SQL Injection. Some items have been brought to my attention.

Any data which is user inputted is now validated and sanitized using filter_var().

My issue now is with XSS and persons manipulating the URL. The simple one which seems to be everywhere is:

http://www.domainname.com/script.php/">< script>alert('xss');< /script >

This then changes some of the $_SERVER variables and causes all of my relative paths to CSS, links, images, etc.. to be invalid and the page doesn't load correctly.

I clean any variables that are used within the script, but I am not sure how I get around removing this unwanted data in the URL.

Thanks in advance.

Addition: This then causes a simple link in a template file:

<a href="anotherpage.php">Link</a>

to actually link to:

"http://www.domainname.com/script.php/">< script>alert('xss');< /script >/anotherpage.php

Improve this question
2
  • sanitize user input; never trust it Commented Jan 6, 2012 at 21:38
  • What exactly am I sanitizing, I am not taking this input in for any use. I just want it ignored if it is not a variable I want. Commented Jan 6, 2012 at 21:49

3 Answers 3

Reset to default
2

This then changes some of the $_SERVER variables and causes all of my relative paths to CSS, links, images, etc.. to be invalid and the page doesn't load correctly.

This sounds you made a big mistake with your website and should re-think how you inject link-information from the input into your output.

Filtering input alone does not help here, you need to filter the output as well.

Often it's more easy if your application recieves a request that does not match the superset of allowed requests to return a 404 error.

I am not sure how I get around removing this unwanted data in the URL.

Actually, the request has been already send, so the URL is set. You can't "change" it. It's just the information what was requested.

It's now your part to deal upon it, not to blindly pass it around any longer, e.g. into your output (and then your links are broken).

Edit: You now wrote more specifically what you're concerned about. I would go in one with dqhendricks here: Who cares?

If you really feel uncomfortable with the fact that a user is just using her browser and enters any URL she feels free to do so, well, the technically correct response is:

400 Bad Request (ref)

And return a page with no or only fully-qualified URIs (absolute URIs) or a redefinition of the Base-URI, otherwise the browser will take the URI entered into it's address bar as the Base-URI. See Uniform Resource Identifier (URI): Generic Syntax RFC 3986; Section 5. Reference Resolution­Specs.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I don't actually use any of the input in my output. I do not use PHP_SELF, or any of the $_SERVER vars. Unless there is something I am missing on my server configuration. The script that is being called does exist, so I am unsure as to how I should give a 404 error. I modified my question to show how the links are modified.
@cosmoba: I edited the answer. To learn how you can make your scripts return a HTTP status code, please see php.net/header .
1

first, if someone adds that crap to their url, who cares if the page doesn't load images correctly? also if the request isn't valid, why would it load any page? why are you using SERVER vars to get paths anyways?

second, you should also be escaping any user submitted database input with the appropriate method for your particular database to avoid sql injection. filter_var generally will not help.

third, xss is simple to protect from. Any user submitted data that is to be displayed on any page needs to be escaped with htmlspecialchars(). this is easier to ensure if you use a view class that you can build this escaping in to.

Improve this answer

2 Comments

I am not using $_SERVER vars to get any paths. I do escape all user submitted data.
@cosmoba you said in your post, "This then changes some of the $_SERVER variables and causes all of my relative paths to CSS, links, images, etc.. to be invalid and the page doesn't load correctly." $_SERVER vars should not affect relative paths in any way.
0

To your concern about XSS: The altered URL won't get into your page unless you blindly use the related $_SERVER variables. The fact that the relative links seem to include the URL injected script is a browser behavior that risks only breaking your relative links. Since you are not blinding using the $_SERVER variables, you don't have to worry.

To your concern about your relative paths breaking: Don't use relative paths. Reference all your resources with at least a root-of-domain path (starting with a slash) and this sort of URL corruption will not break your site in the way you described.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.