XSS, encoding a return url_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-01-28 11:54 出处：网络

Here is the vulnerable co开发者_如何学运维de <?php header(\"Location: \".$_POST[\'target\']); ?>

  <?php header("Location: ".$_POST['target']); ?>

What is the appropriate way to make sure nasty things that come in to target are cleaned?

First up, this is a vulnerability

OWASP categorizes it as "Unvalidated Redirects and Forwards". See OWASP's guide for more information.

A few interesting attacks are possible. See this thread on sla.ckers.org for ideas on how this can be abused.

How do you protect yourself?

Verify the scheme of the URL. You usually only want to support http and https. Abort the request for any other scheme.
Parse the URL, and extract the domain. Only allow redirects to known list of domains. For other domains, abort the request.

That's about it.

In old versions of PHP this would be a CRLF injection vulnerability. However, that has been fixed and now its just a OWASP A10 violation. So to answer your question, YES it is a vulnerability because it violates OWASP.

It depends on your design and requirement. but I think instead of asking for whole path from user, just ask the differentiating path and add the initials of your own. I mean http://HOSTNAME/$userGivenPath

2nd, if you know the valid paths then validate entry from user against those valid paths.

3rd, if you are using direct $_POST['path'] right now, later you may also use it at other places like require $_POST['']. So, your way of using the POST can be dangerous. So, you should filter the filepath for \.. , \..\.. etc. So, better filter the input and help yourself and other who follow your code write better code.

There is no vulnerability.

Even though user can put anything in $_POST['target'], so? He will be redirected to the page he wanted. The same as if he just type another url in the address bar, or changed some chars on this page with firebug.

If you worry about CSRF-type attacks, then just make protection against them.

UPD:

To the persons who thinks it is a vulnerable and who downvotes me (thank for the downvote for the truth, you just confirmed you have nothing to say, just downvote):

Take this code http://pastebin.com/Jw4Zp3F5 and prove it is a vulnerable.

UPD 2:

So, 1 week left. I've got a lot of links to security articles and have read a lot of loud words that it is a vulnerability. But NOONE has proven that it really is.

So, misters experts, if it is vulnerability, why noone proved that based on my script with vulnerable line? Or everything you can only do - is just point to the article and nothing more, huh?