Prevention of PHP and XSS cross-site attacks

Source: Internet
Author: User
The prevention of cross-site PHP and XSS attacks has long been discussed, and many PHP sites in China have discovered XSS vulnerabilities. I accidentally saw an XSS vulnerability in PHP5 today. here is a summary. By the way, it is recommended that you use PHP5 to install a patch or upgrade it.

If you don't know what XSS is, you can read it here or here (Chinese may be better understood ).

Many forums in China have cross-site scripting vulnerabilities. for example, here is an example of a Google Hack + XSS attack targeting Discuz 4.0.0RC3. There are also many such examples abroad, and even Google has appeared, but it was fixed at the beginning of December. Cross-site attacks can be easily constructed and are very concealed and difficult to detect (usually jump back to the original page immediately after information is stolen ).
Here we will not explain how to attack (or ask me), but mainly discuss how to prevent it. First, cross-site scripting attacks are caused by the absence of strict filtering of user input. Therefore, we must block possible dangers before all data enters our website and database. Htmlentities () can be used for illegal HTML code, including single and double quotation marks ().

$ Str = "A 'quote' is Bold";

// Outputs: A 'quote' is Bold
Echo htmlentities ($ str );

// Outputs: A 'quote' is Bold
Echo htmlentities ($ str, ENT_QUOTES );
?>


In this way, invalid scripts can be invalidated.

But note that htmlentities () is encoded as a ISO-8859-1 by default, and if your illegal script code is another, it may not be filtered out, while the browser can recognize and execute. To solve this problem, I need to test several sites first.

Here is a function for filtering out invalid scripts:

Function RemoveXSS ($ val ){
// Remove all non-printable characters. CR (0a) and LF (0b) and TAB (9) are allowed
// This prevents some character re-spacing such
// Note that you have to handle splits with \ n, \ r, and \ t later since they * are * allowed in some inputs
$ Val = preg_replace ('/([\ x00-\ x08] [\ x0b-\ x0c] [\ x0e-\ x20])/', '', $ val );

// Straight replacements, the user shoshould never need these since they're normal characters
// This prevents like
$ Search = 'abcdefghijklmnopqrstuvwxy ';
$ Search. = 'abcdefghijklmnopqrstuvwxy ';
$ Search. = '2017! @ # $ % ^ &*()';
$ Search. = '~ '";:? +/= {} []-_ | \'\\';
For ($ I = 0; $ I <strlen ($ search); $ I ++ ){
//;? Matches the;, which is optional
// 0 {0, 7} matches any padded zeros, which are optional and go up to 8 chars

// @ Search for the hex values
$ Val = preg_replace ('/(& # [x | X] 0 {0, 8}'. dechex (ord ($ search [$ I]). ';?) /I ', $ search [$ I], $ val); // with;
// @ 0 {0, 7} matches '0' zero to seven times
$ Val = preg_replace ('/({0, 8}'. ord ($ search [$ I]). ';?) /', $ Search [$ I], $ val); // with;
}

// Now the only remaining whitespace attacks are \ t, \ n, and \ r
$ Ra1 = Array ('javascript ', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'Blink ', 'link ', 'style', 'script', 'Embed ', 'object', 'iframe', 'frameset', 'ilayer', 'lay', 'bgsound ', 'title', 'base ');
$ Ra2 = Array ('onabport', 'onactivate', 'onafterprint ', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate ', onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick ', oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag ', 'ondragend', 'ondragenter', 'ondragleave ', 'ondragover', 'ondragstart', 'ondrop', 'onerrorupdat', 'onfilterchang', 'onfinish ', 'oncore', 'onfocusin', 'onfocusout ', 'onhelp', 'onkeylow', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture ', onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend ', 'onmovestart', 'onpaste ', 'onpropertychang', 'onreadystatechang', 'onreset', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit ', 'onrowsdelete', 'onrowsinserted', 'onscroll ', 'onselect', 'onselectionchang', 'onselectstart', 'onstart', 'onstop', 'onsubmit ', 'onload ');
$ Ra = array_merge ($ ra1, $ ra2 );

$ Found = true; // keep replacing as long as the previous round replaced something
While ($ found = true ){
$ Val_before = $ val;
For ($ I = 0; $ I <sizeof ($ ra); $ I ++ ){
$ Pattern = '/';
For ($ j = 0; $ j <strlen ($ ra [$ I]); $ j ++ ){
If ($ j> 0 ){
$ Pattern. = '(';
$ Pattern. = '(& # [x | X] 0 {0, 8} ([9] [a] [B]);?)? ';
$ Pattern. = '| ({0, 8} ([9] [10] [13]);?)? ';
$ Pattern. = ')? ';
}
$ Pattern. = $ ra [$ I] [$ j];
}
$ Pattern. = '/I ';
$ Replacement = substr ($ ra [$ I], 0, 2 ).' '. Substr ($ ra [$ I], 2); // add in <> to nerf the tag
$ Val = preg_replace ($ pattern, $ replacement, $ val); // filter out the hex tags
If ($ val_before ==$ val ){
// No replacements were made, so exit the loop
$ Found = false;
}
}
}
}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.