• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Xss Security (For vulnerability on web)

W

W33dRoCks

Banned User
Joined
Aug 18, 2009
Messages
475
Reaction score
1
Location
Spain
Well, the other day inspecting other games, other language systems, websites, layout, etc ... I found a security vulnerability for sites (system validation of incoming data), I am using in my layout.php, and so far not had any failure eh, if he wants to finish his fix everything, but never forget the credits thanks (but iam not creator), this code i dont know if will working(i have not yet reached this level .php and security xD)

PHP: 
$queryString = strtolower($_SERVER['QUERY_STRING']); 
if(strstr($queryString, "<") || strstr($queryString, ">") || strstr($queryString, "(") || strstr($queryString, ")") || 
strstr($queryString, "..") || strstr($queryString, "%") || strstr($queryString, "*") || strstr($queryString, "+") || 
strstr($queryString, "!") || strstr($queryString, "@") || strstr($queryString, "'") || strstr($queryString, "/")) {

$loc = $_SERVER['PHP_SELF']; 
$ip = $_SERVER['REMOTE_ADDR']; 
$date = date("d-m-Y @ h:i:s"); 
$lfh = "_logs/xss.log"; 
$log = fopen ($lfh, "a+"); 
fputs ($log, "Attack Date: ".$date." | Attacker IP: ".$ip." | QueryString: index.php?".$loc=$queryString."
"); 
fclose($log);
header('Location: index.php');
exit();}

Credits to whos create this code.

rep+ if this script got any fuction for you, sorry for my english.
 
where to put it? and how it works? explain in detail if possible .. :peace:
 
HTML: 
 <script type="text/javascript">
$queryString = strtolower($_SERVER['QUERY_STRING']);
if(strstr($queryString, "<") || strstr($queryString, ">") || strstr($queryString, "(") || strstr($queryString, ")") ||
strstr($queryString, "..") || strstr($queryString, "%") || strstr($queryString, "*") || strstr($queryString, "+") ||
strstr($queryString, "!") || strstr($queryString, "@") || strstr($queryString, "'") || strstr($queryString, "/")) {

$loc = $_SERVER['PHP_SELF'];
$ip = $_SERVER['REMOTE_ADDR'];
$date = date("d-m-Y @ h:i:s");
$lfh = "_logs/xss.log";
$log = fopen ($lfh, "a+");
fputs ($log, "Attack Date: ".$date." | Attacker IP: ".$ip." | QueryString: index.php?".$loc=$queryString."
");
fclose($log);
header('Location: index.php');
exit();}
</script>

so? :huh:
 
This is fail, first, while using urlencode if a character got a blank space it will be marked as 'XSS' because urlencode replace blank space with '+' also!! if you don't do urlencode it will be replaced with '%20' which will also be marked as 'XSS', SO, You sir, have failed.

--
Edit,
Almost forgot, you can't also search player with quotes because it will be marked as XSS too lmfao!


Better learn to use regular expressions and htmlspecialchars and thats all, Also set data type to every variable/stuff you request from user and you wont have any XSS problem.
 
Last edited:
Migxxx said:
This is fail, first, while using urlencode if a character got a blank space it will be marked as 'XSS' because urlencode replace blank space with '+' also!! if you don't do urlencode it will be replaced with '%20' which will also be marked as 'XSS', SO, You sir, have failed.

--
Edit,
Almost forgot, you can't also search player with quotes because it will be marked as XSS too lmfao!


Better learn to use regular expressions and htmlspecialchars and thats all, Also set data type to every variable/stuff you request from user and you wont have any XSS problem.
Click to expand...

so this sux?
 
Cyb3rmastr said:
so this sux?
Click to expand...
Yes, The right method (In my eyes) is by using a function to filter all the data from the user, like this one i just wrote:

PHP: 
function get($topic,$method = 'get')
        {
                $topicFIX = array();

                switch($method)
                {
                        case 'get':
                                $topic = $_GET[$topic];
                        break;

                        case 'post':
                                $topic = $_POST[$topic];
                        break;

                        case 'session': //I know session is server side but still.
                                $topic = $_SESSION[$topic];
                        break;
                }

                preg_match_all("/([\w\+\' -])/",$topic,$topicFIX);

                return @implode(NULL,$topicFIX[0]);
        }

Ye i know the switch was noob, but i wanted to made it retardpr00f.

With this function you shouldn't have any problem by filtering names, subtopics, page numbers ETC since it only allow: a-z A-Z 0-9 ' + - _ and white space AKA %20....

And if you don't feel like returning quotes without encoding, simply replace

PHP: 
return @implode(NULL,$topicFIX[0]);

with

PHP: 
return htmlspecialchars(@implode(NULL,$topicFIX[0]),ENT_QUOTES);

For long text which require all letters/symbols (Like character comments) use htmlspecialchars with ENT_QUOTES and thats all.

BTW, I post this now bekos fkedkwrwamAC mod deleted my post ;(! ALSO! I made this in less than 2 minutes and i didn't tested the script so i'm not really sure if the function actually works.
 
Last edited:
Back
Top