How to fix php XSS issues
I have done scanning of my PHP code using AppScan Source tool( from HCL Software) and find that there are almost 350 XSS type issues of various patterns.
Wondering what is the good way in PHP to fix them? Most of them are due to html that we echo or add dynamically.
Example line that has XSS in scan is as given below
echo '<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">'
XSS stands for Cross-Site Scripting these are attacks. A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
We want to prevent this from happening. Since you are using PHP this won't be resolved using http://htmlpurifier.org/. You'll have to use another method. What you can try are the following options:
- Encrypt your values inside the echo statement.
- Your application code should never output data received as input directly to the browser without checking it for malicious code.
These are simple steps to prevent an XSS attack from happening:
- Train and maintain awareness.
- To keep your web application safe, everyone involved in building the web application must be aware of the risks associated with XSS vulnerabilities. You should provide suitable security training to all your developers, QA staff, DevOps, and SysAdmins. You can start by referring them to this page.
- Don’t trust any user input.
- Treat all user input as untrusted. Any user input that is used as part of HTML output introduces a risk of an XSS. Treat input from authenticated and/or internal users the same way that you treat public input.
- Use escaping/encoding.
- Use an appropriate escaping/encoding technique depending on where user input is to be used: HTML escape, JavaScript escape, CSS escape, URL escape, etc. Use existing libraries for escaping, don’t write your own unless absolutely necessary.
- Sanitize HTML.
- If the user input needs to contain HTML, you can’t escape/encode it because it would break valid tags. In such cases, use a trusted and verified library to parse and clean HTML. Choose the library depending on your development language, for example, HtmlSanitizer for .NET or SanitizeHelper for Ruby on Rails.
- Set the HttpOnly flag.
- To mitigate the consequences of a possible XSS vulnerability, set the HttpOnly flag for cookies. If you do, such cookies will not be accessible via client-side JavaScript.
- Use a Content Security Policy.
- To mitigate the consequences of a possible XSS vulnerability, also use a Content Security Policy (CSP). CSP is an HTTP response header that lets you declare the dynamic resources that are allowed to load depending on the request source.
- Scan regularly (with Acunetix).
- XSS vulnerabilities may be introduced by your developers or through external libraries/modules/software. You should regularly scan your web applications using a web vulnerability scanner such as Acunetix. If you use Jenkins, you should install the Acunetix plugin to automatically scan every build.
I'll include two short examples of encoding in PHP here: You could try the htmlspecialchars I suggested to you earlier. I'll give an example with the line of code you gave is on your question.
echo '<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">'
Would be changed to:
echo htmlspecialchars('<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">', ENT_QUOTES, 'UTF-8');
You could also use a html encoder and place this inside an echo for example:
echo "<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">"
These all give the output:
<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">
.
Here is a short explantion about what XSS does. In a Cross-site Scripting attack (XSS), the attacker uses your vulnerable web page to deliver malicious JavaScript to your user. The user’s browser executes this malicious JavaScript on the user’s computer. Note that about one in three websites is vulnerable to Cross-site scripting.
Google Code University also has these very educational videos on Web Security:
-
How To Break Web Software - A look at security vulnerabilities in web software
-
What Every Engineer Needs to Know About Security and Where to Learn It
EDIT: This website may also help you. http://htmlpurifier.org/ <- this rewrites your code. As said in a review by IRIS: "I'd just like to say we use HTML Purifier in IRIS for filtering emails against XSS attacks and we've been more than impressed.". Take a look into it, it might help you out.