Information Technology Reference
In-Depth Information
<
html
>
<
body
>
<
?php
1 p=$GET [ ' param '];
2 n=$GET[ 'cardinality ' ];
3
$op = $ GET [ ' op ' ] ;
4
if
($n
<
1)
//input validation
5
die
;
6
if
(
strpos
($p, '
<
script') !==
false
)
7
$p
htmlspecialchars
($p);
8
if
(
isset
($op))
{
//print
table
9
echo
'
<
table border=1
>
';
10
for
($i=0; $i
<
$n ; $ i++)
{
11
echo
'
<
tr
><
td
>
first cell
<
/td
>
'.
'
<
td
>
second cell
<
/td
>
'.
'
<
td
>
third cell
<
/td
><
/tr
>
';
}
echo
”
<
/table
>
”;
else
12
{
//print menu
13
for
($i=0; $i
<
$n ; $ i++)
{
14
echo
'
<
a href=fir s t .php
>
link #' .
$i . '
<
/a
>
';
}
}
15
echo
$p ;
//vulnerability
?
>
<
/body
>
<
/html
>
Fig. 1.
Running example of a XSS vulnerability on PHP code
the number of links in the menu depend on the value of
cardinality
. Parameter
param
is just printed.
On lines 1-3, input values are read from the incoming HTML request (rep-
resented in PHP as the special associative array
$ GET
) and assigned to local
variables
$p
,
$n
and
$op
respectively.
On lines 4-7, input values are validated. In case
$n
contains a value smaller
than 1 or a string that does not represent a number, the execution aborts (
die
statement at line 5). At line 7, the value of variable
$p
is validated. Validation,
however, is done only when condition on line 6 holds, which is not sucient to
cover all the possible dangerous cases. For example, harmful code containing a
different tag (e.g.
<
a
>
) or with a space between
<
and
script
may skip the
sanitization.
Depending on the value of variable
$op
, either a table (lines 8-12) or a menu
(lines 13-14) is shown. Eventually, variable
$p
is printed at line 15 possibly
causing a security threat, because of inadequate validation at lines 6-7.
Search WWH ::
Custom Search