Forem: Rodrigo Javornik

XSS Attack - Why strip_tags is not enough

Rodrigo Javornik — Wed, 13 Sep 2023 20:05:20 +0000

In PHP, it is common to use the strip_tags() function as a way to prevent XSS intrusion. However, this function does not even work to mitigate this type of attack, giving a false sense of security. But why?

What is XSS?

XSS (Cross-Site Scripting) is a form of attack that occurs when an attacker exploits a vulnerability in a web application to insert malicious scripts into its pages. These scripts are executed in the browsers of the application's users and can compromise sensitive information, allow session theft, redirect to other sites, etc.

Why strip_tags don't work?

The strip_tags() function is commonly used to remove HTML and PHP tags from a string. However, it is not designed to handle all forms of malicious input that can lead to XSS (Cross-Site Scripting) attacks.

Here are some reasons why strip_tags() falls short in mitigating XSS attacks:

Attribute-based attacks: XSS attacks can occur through attributes such as onmouseover or onclick, which can execute JavaScript code when triggered. strip_tags() does not remove or sanitize these attributes, allowing potential XSS vulnerabilities to remain.
Tag obfuscation: Attackers can obfuscate the HTML tags and their attributes to bypass strip_tags(). They can use techniques such as mixing case variations, HTML entity encoding, or JavaScript-based obfuscation. strip_tags() alone cannot effectively handle these obfuscated tags.
Context-awareness: XSS vulnerabilities can vary depending on the context in which the user input is displayed. strip_tags() does not have knowledge of the specific context and may allow certain tags or attributes that can still lead to XSS attacks.

An example of malicious string that can be used in an XSS attack is as follows:

this is a XSS attack <script>alert(“hello world”)<script>

If we apply the strip_tags() function, we obtain the following result:

this is a XSS attack alert(“hello world”)

Okay, in this case, it was indeed possible to clean the malicious code from the string. However, the attacker can use the following code:

this is a XSS attack &lt;script&gt; alert('oi') &lt;/script&gt;

The strip_tags() function will not sanitize the string in a way that prevents the injection of code into the page.

How to prevent it?

The good way to deal with untrusted data is:

Filter on input, escape on output

This means that you handle the received data (filter), but only transform it (escape or encode) when you send it as output to another system that requires encoding.

There is no way around it. In the data sanitization phase, the only way to effectively prevent XSS attacks is by using a specific library, such as:

These libraries provide robust mechanisms for preventing XSS attacks by sanitizing and properly handling user input and output.

Here, we are going to use the AntiXSS library.
Now we can sanitize our strings in a much safer way:

<?php

use voku\helper\AntiXSS;

require_once __DIR__ . '/vendor/autoload.php';

$antiXss = new AntiXSS();
$xssString = "this is a XSS attack &lt;script&gt; alert('oi') &lt;/script&gt;";
$clearString = $antiXss->xss_clean($xssString);

//this is a XSS attack
echo $clearString;

In the phase of outputting data, you can use template engines like Twig or Blade or htmlspecialchars function.

Great! Now we have a good way to sanitize XSS.

It's worth mentioning that sanitization is just one of the steps in preventing XSS. But that is a topic for another text...

Do you like data sanitization? Then take a look at my PHP data sanitization library!

rodrigojavornik / PHPCleanup

A PHP Sanitation Library

PHP Cleanup

A powerful sanitization library for PHP and Laravel. No dependencies

Installation

composer require rodrigojavornik/php-cleanup

Usage

use PHPCleanup\Sanitize;

Sanitize::input()->sanitize(' <h1>Hello World</h1> ');//Hello World
Sanitize::trim()->captalize()->sanitize(' string    ');//String
Sanitize::trim()->lowercase()->sanitize(' MY name IS    ');//my name is
Sanitize::onlyNumbers()->sanitize(' abc1234');//1234

Available filters

captalize: Capitalize a string;
captalizeAll: Capitalize all string;
dateTime: Transform a string in DateTime object;
email: Removes all characters not allowed in an email address;
escape: Applies htmlspecialchars to value;
formatNumber: Format a number with grouped thousands;
input: Strip one whitespace from the beginning and end of a string and remove any HTML and PHP tags;
keys: applies sanitaze to elements of an array;
…

View on GitHub

Handling input data in PHP

Rodrigo Javornik — Thu, 04 May 2023 19:08:21 +0000

When I started my career as a developer, there was something I always heard from more experienced programmers, something that became a mantra that I always carried with me:

Never trust user data

How many times have we heard of systems that failed, either serious or not, because they didn't handle their data properly? Or of developers who wasted precious time creating specific libraries to handle GET and POST parameters?

We cannot deny that we have to handle our data, and the purpose of this text is to present a simple and safe way to perform this task with PHP.

The filter extension

In PHP 5.2, the filter extension was added by default. Since then, it has become easier to validate and sanitize data without needing to access the superglobals $_POST and $_GET.

In a simple way, there are two types of "tasks" performed by the filtering system:

Validation: ensures that the data meets a specific expectation. It returns a Boolean value if the data does not meet the established criterion.
Sanitization: removes unwanted data from the input based on a criterion and returns the sanitized data.

As it is a native feature of PHP >5.2, no installation is required to access the feature.

Using the Filter

To use the resources of the filter, we have to use one of the filter functions such as filter_input or filter_var. For didactic purposes, the examples in this text will use the filter_input function. Once the default function is defined, let's analyze its prototype:

mixed filter_input( int $type , string $variable_name [, int $filter = FILTER_DEFAULT [, mixed $options ]] );

Note that the only required parameters are type and variable_name. Where type is the constant used to indicate where the external data will be searched and variable_name is the name of the parameter to be searched. For example: $_GET['email'] would be like filter_input(INPUT_GET, 'email').

Taking into consideration that each filter is represented by a different constant, the filter parameter indicates the filter constant we will use. If no filter is defined, no filter will be applied by default. The options parameter adds modifiers to the filters, and its usage will be explained later.

Therefore, to apply a filter to a variable, we need the following code:

filter_input(INPUT_CONSTANT, $input_data, FILTER_CONSTANT);

Each filter in the system is represented by a constant. Validation constants are found as FILTER_VALIDATE_*, and sanitization constants are found as FILTER_SANITIZE_*.

Now that we understand the basic concepts, let's see some practical examples:

//SANITIZATION

// emailUser = ((teste@teste.com)&*
// return teste@teste.com
$emailUser = filter_input(INPUT_GET, 'emailUser', FILTER_SANITIZE_EMAIL);

// age = abc1b3
// return 13
$age = filter_input(INPUT_GET, 'age', FILTER_SANITIZE_NUMBER_INT);

//VALIDATION

// The parameter "email" does not exist.
// return NULL
filter_input(INPUT_GET, 'email', FILTER_VALIDATE_EMAIL);

// email = ((teste@teste.com)&*
// return FALSE
filter_input(INPUT_GET, 'email', FILTER_VALIDATE_EMAIL);

// email = teste@teste.com
// return TRUE
filter_input(INPUT_GET, 'email', FILTER_VALIDATE_EMAIL);

Modifiers

There are ways to modify the behavior of filters. Validation filters accept options and flags as modifiers, while sanitization filters only accept options.

Let's see an example of validation:

//numberHex = 0xf0
$modificador = [
    'options' => [
        'default' => 1,
        'min_range' => 1, 
        'max_range' => 240
    ],
    'flags' => FILTER_FLAG_ALLOW_HEX
];

filter_input(INPUT_GET, 'numberHex', FILTER_VALIDATE_INT, $modificador);

In the example above, to validate the numberHex we need an integer value between 1 and 240, if these requirements are not met the function will return what is in default. The flag FILTER_FLAG_ALLOW_HEX allows the function to also work with hexadecimal values, in this case 0xf0 is equal to 240 in decimal.

Now let's see an example of sanitization:

// number = -2.3
// return -23
filter_input(INPUT_GET, 'number', FILTER_SANITIZE_NUMBER_FLOAT);

// number = -2.3
// return -2.3
filter_input(INPUT_GET, 'number', FILTER_SANITIZE_NUMBER_FLOAT, ['flags' => FILTER_FLAG_ALLOW_FRACTION]);

In the code above, the same value is processed in different ways. In the first treatment, the dot is not considered. This happens because the function will only work with fractions if the FILTER_FLAG_ALLOW_FRACTION flag is present.

To conclude

The filter extension is an excellent way to handle your data within PHP without resorting to superglobals or using specific libraries. It is worth delving deeper into its functioning.

You can check the complete documentation of the feature by clicking here.

If you want a more powerful tool for data sanitization, I suggest using my PHPCleanup library.

Hey, did you like the text? Do you have any tips to share? Leave your comment, it will be a pleasure to interact with you.