XSS Vulnerbility fix

[mat420]

so i added html entities to eaach of my text boxes. idk if i need it on my checkbox but dont know how so if i do, tell me please.

my issue though is, all of them XSS vulnerbility warnings went away when i did that except for the page theyre actually on "contact.php"

sorry im tired. thanks so much all.

PHP Code:


Vulnerability description
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. 
This vulnerability affects /contact.php. 
Discovered by: Scripting (XSS_in_URI.script). 
The impact of this vulnerability
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. 

Attack details
URI was set to "onmouseover=prompt(989931)>
The input is reflected inside a tag element between double quotes.


 View HTTP headers 
Request
GET /contact.php/%22onmouseover=prompt(989931)%3E HTTP/1.1
Cookie: PHPSESSID=26d2d9143c8b4920fbb91285f512c433
Host: www.drpcrepair.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*

Response
HTTP/1.1 200 OK
Date: Wed, 09 Mar 2011 04:29:50 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.17
Keep-Alive: timeout=2, max=181
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 16712
 View HTML response 
 Launch the attack with HTTP Editor  Retest alert(s)  Mark this alert as a false positive 
How to fix this vulnerability
Your script should filter metacharacters from user input. 


[mat420]

http://www.winfrastructure.net/artic...ipting-attacks
i found this, i think this is the fix but im not sure how to use it.

so i tried tehe ereg_replace thing again in the "mail" part of the php form (filtering all !@#$%^&*() but it still came up as vulnerable)

thanks agian :/

[traq]

first off, this is not a CSS issue. what scripting language are you using? my answers will use PHP examples, but they will be similar in other languages.

what are you doing with the text?

for example, if you're displaying comments on your website, either strip_tags or htmlentities will prevent any malicious scripts from running.

If you're doing something else (like using the text to search the database), you simply need to double-check that it either 1) matches a pattern you're expecting (such as only digits 0-9 if you're expecting an id number), and/or escape the string (e.g., by using mysql_real_escape_string()) before inserting it into a query.

incidentally, don't use ereg_replace(). it's depreciated. Use preg_replace() instead (the regex and syntax is a little different).

[mat420]

all im doing is sending the info in the text boxes to my email.
i was told tho if the site is xss vulnerable though scripts can be injected causing harm to visitors.

[mat420]

sorry i dont know why i put this in css, if anything i guess php? no idea.

[traq]

are you sending yourself plain text emails (important: <b>no html</b> in your emails)? If your input is never inserted into a database, and never used/ displayed as html, then you don't need to do anything to it.

[mat420]

not sure if i understand the question but the users are to send me w/e msg they have for me their email name and...location ? is it? and it comes to me exactly as they type in. i dont think theres any html involved in the actual email that is received by me.

drpcrepair * c*om/contact * php if it helps any

[djr33]

XSS attacks occur when user input becomes output, specifically when it is displayed on the website.
For example, in a comment/blog/forum script, if you allow your visitors to input anything they'd like, they can place HTML and Javascript in their comments and it will become part of the page when posted. For this reason, HTML, Javascript and other code should be removed or disabled.

However, if you are NOT actually putting this on your website (after the users submit it) then there is no danger at all.

As traq says, it might be a problem for you (and ONLY you) if they submit emails to you with HTML in them. But this is actually not a problem UNLESS you are specifically receiving these emails as HTML-encoded. If they are just plain text (as is probably the case) HTML code won't do anything-- it'll just be text.


If there is some way in which this user input is being displayed on your website (or in an HTML email or any other code-enabled medium) please let us know and we can help you work out how to disable it (make it text, not code, some way or another) so that it is not dangerous.


A technical note: XSS attacks, or cross-site scripting attacks, occur when certain Javascript is embedded in user input that is then added to the page. What it does is takes the information from the page and the user and sends it to a remote website. Basically it's like allowing users to place a spy within your pages that can potentially tell you secrets that otherwise would only be known to that user (and your server, but not OTHER users).

[traq]

drpcrepair * c*om/contact * php if it helps any

that doesn't help, actually. There's no way for us to see the php code by accessing the file; you'd need to post the contents of that script (or attach it as a .txt file).

[jscheuer1]

As djr33 says, unless it's displayed on the website, the only danger is to you in reading the emails. You can avoid that by doing just what you have done, using htmlentities on the text inputs will protect you, as would setting your email client to display only text, either is sufficient, both would be ironclad. You shouldn't need htmlentities on the output of a checkbox, but it wouldn't hurt anything.