Though I'm sure most site admins can figure this out, it is amazing how easy it is to find XSS bugs in closed-source software using nothing but Google and old-fashioned brute stupidity. Here are some common places to look for XSS bugs:
- Search Forms
- Any form which saves the value it is given in an input field
- Pages with pagination (Less likely but possible…)
First, search forms. These are notorious for spitting out something similar to the following:
The code for such a page is usually something like this:
<form method="GET">
<strong>Search: <input name="q" size="50" type="text"></strong>
<input value="Search" type="submit">
</form>
<hr>
<?php
echo("<strong>You searched for " . $_GET['q'] . "! Isn't that exciting?!</strong>");
?>
What's wrong here? The $_GET['q'] goes directly to the echo(). It will print anything. How do we fix this? Simple.
echo("<strong>You searched for " . htmlentities($_GET['q']) . "! Isn't that exciting?!</strong>");
What happens when we try to inject an XSS attack into this? We get html characters like < and >. This means that nothing inside of them will be treated as actual HTML, but will instead be treated as normal text. There are virtually unlimited methods for doing this in PHP and ASP and even JavaScript. However, if you EVER feel the urge to leave input validation to a clientside scripting language, quickly slap yourself across the face. Clientside input validation is as good as no input validation. Things like putting restrictions on the length of text inputs do virtually nothing to stop someone from abusing your script. Another caution: simply using addslashes() does NOT fully protect your script.
Isn't JavaScript such a blessing to us humble web developers?
Next, text fields that set their value to the user's input without checking it. "But it just goes to the text box! you can't execute JavaScript in a textbox!" May the lord have mercy on your souls. Just try searching for something as simple as ">. Did I just blow your mind?
Now I can put whatever I want in and it will execute outside of the safety of the text field.
Lastly, pagination pages. For those of you who don't know what pagination is, I'll save you my comments and just give you the definition from Wikipedia:
Pagination is the system by which the information on a newspaper, bookpage, manuscript, or otherwise handwritten or printed document are laid out.
Basically, it's those little links you see at the bottom of things like photo albums like "1|2|3|4" with little links to each page, or "A B C D" for user list pages. I won't go too deep into how it works, but just be careful passing unfiltered selections to the page.
I have no idea why developers choose (and I mean this, I refuse to believe that they simply "forget" to validate some data while other data gets scrubbed clean) to leave these XSS bugs present, given how easy it is to fix them. Let me show you one more time how to solve all of these bugs.
htmlentities($variable);
XSS is lame. Don't let the users of your software be compromised over something so easy to fix.
