Security_pitfalls

Michal Čihař edited this page May 16, 2016 · 4 revisions
Clone this wiki locally

Here are some guidelines on how to avoid security issues that could lead to security bugs.

Sanitize input variables

Escape all variables in output

  • What? When printing a variable to generate html output, JavaScript, urls, messages; or when exporting in xml-based formats or SQL.
  • Why? No variable content can be trusted, so it should be escaped in order not to cause vulnerabilities like XSS or SQL injection.
  • How? By using escaping functions to convert possibly dangerous characters to a safe replacement.

Escaping xml/html output

When printing the contents of a variable in xml/html output, that variable could contain characters that have a special function in html/xml, like '<' and '>'. When used in combination with other characters, this could trick the browser to show or do something that is not intended.

These special characters can be converted to a special, and harmless, string (f.e. '<' will become '<'), using a function like

Incorrect example

$bad_string = "<script>alert('Hello world!')</script>";
echo "<p>This is an example of a badly escaped string : " . $bad_string . "</p>";
  • Output :
  <p>This is an example of a badly escaped string : <script>alert('Hello world!')</script></p>

When this is evaluated by a Javascript enabled browser, this is printed on the screen:

This is an example of a badly escaped string :

And a Javascript generated popup saying "Hello world!", but any script could have been executed.

Correct example

$bad_string = "<script>alert('Hello world!')</script>";
echo "<p>This is an example of a correctly escaped string : " . htmlspecialchars($bad_string, ENT_QUOTES) . "</p>";

Output :

<p>This is an example of a correctly escaped string : <script>alert(&#039;Hello world!&#039;)</script></p>

When this is evaluated by a Javascript enabled browser, this is printed on the screen:

This is an example of a correctly escaped string :

<script> alert('Hello world!') </script>

And no unwanted script was executed because the crafted string was correctly escaped.

From JavaScript

In js/functions.js we have defined escapeHtml() that should be called whenever necessary.

Escaping urls

When printing the contents of a variable in a url, that variable could contain characters that have a special function in html, like ''' or '>'. When used in combination with other characters, this could result in a broken link or a link tricking the user to do something unintended.

These special characters can be converted to an escaped, and harmless, string (f.e. '>' will become '>'), using a function like

Incorrect example

$bad_url = "some_url.php'><script>alert('Hello world!')</script>";
echo "<a href='" . $bad_url . "'>This is a badly escaped url</a>\n";
  • Output :
<a href='some_url.php'><script>alert('Hello world!')</script>'>This is a badly escaped url</a>

These links still point to the right url, but it was also possible to break out of the url and execute some Javascript.

Correct example

$bad_url = "some_url.php'><script>alert('Hello world!')</script>";
echo "<a href='" . htmlspecialchars($bad_url, ENT_QUOTES) . "'>This is a correctly escaped url</a>\n";

Output :

<a href='some_url.php&#039;><script>alert(&#039;Hello world!&#039;)</script>'>This is a correctly escaped url</a>

In this case, the injected Javascript in the second link was not executed because breaking out of the url was not possible. The link is broken though. Using htmlspecialchars protects you in this case from XSS, but some sanitation of the variable content is still necessary.

Escaping url parameters

When printing the contents of a variable in a url, that variable could contain characters that have a special function in urls, like ' ', '&' or '?'. When used in combination with other characters, this could result in a broken link or a link tricking the user to do something unintended.

These special characters can be converted to an encoded, and harmless, string (f.e. ' ' will become '+' or '%20'), using a function like

Incorrect example

$bad_string = "some_value&other_var=bad_stuff";
$bad_string2 = "'><script>alert('Hello world!')</script>";
echo "<a href='some_url.php?some_var=" . $bad_string . "'>This is a badly encoded url</a>\n";
echo "<a href='some_url.php?some_var=" . $bad_string2 . "'>This is another badly encoded url</a>\n";
  • Output :
<a href='some_url.php?some_var=some_value&other_var=bad_stuff'>This is a badly encoded url</a>
<a href='some_url.php?some_var='><script>alert('Hello world!')</script>'>This is another badly encoded url</a>

These links still point to the right url, but in the first link a new url parameter (other_var) was introduced (and possibly overriding the real value of an existing url parameter), possibly causing unintended behaviour. In the second link it was also possible to break out of the url and execute some Javascript.

Correct example

$bad_string = "some_value&other_var=bad_stuff";
$bad_string2 = "'><script>alert('Hello world!')</script>";
echo "<a href='some_url.php?some_var=" . urlencode($bad_string) . "'>This is a correctly encoded url</a>\n";
echo "<a href='some_url.php?some_var=" . urlencode($bad_string2) . "'>This is another correctly encoded url</a>\n";

Output :

<a href='some_url.php?some_var=some_value%26other_var%3Dbad_stuff'>This is a correctly encoded url</a>
<a href='some_url.php?some_var=%27%3E%3Cscript%3Ealert%28%27Hello+world%21%27%29%3C%2Fscript%3E'>This is another correctly encoded url</a>

In this case, the only two parameters passed to some_url.php are some_var and some_var2, as intended. The content of both variables was encoded so that polluting another url parameter was not possible. The injected Javascript in the second link was not executed because breaking out of the url was not possible.

Escaping SQL output

Category:Devel