Clever Geek Handbook

Prevent XSS in HTML Forms from a Third Party Site

The basics:

  • I have a contact form that uses php to validate the form. (in addition to the client side) This can be done in any server side language though.
  • Server side only allows Az 0-9 for certain fields (it is acceptable to validate this field in English only with a very limited range)
  • If the form contains errors, I re-fill the fields so the user does not need to re-enter before submitting again
  • I don't want other sites to submit to my form, even though legitimate uses can be found there.

I can easily create a form on another website that puts a dirty word in the box. Certain dirty words are perfectly legal under the rules of validation, but my employer clearly wouldn't want that to happen.

I get the impression that dedicated hackers can influence cookies, php sessions and of course hidden fields are easy to fake along with referrers, etc. How do I block third-party sites from publishing on my page?

Please feel free to help me and google. My search terms are weak and the methods that I know will fail.

What if someone submitted "d03boy eats cats" through a form on their site and got people to click on a link that would submit it to my form? (Admit it is possible, and my company cannot take any risk.) Then when the user clicks on the link they see inside the "name" field, "d03boy eats cats" and gets insulted and contacts PETA about our site content. We simply cannot explain to the user what happened. True, nothing happened, but the rollover of individual users is unacceptable for my employer.

Our current solution is to not report any user inputs, which is a big usability issue in my opinion.

0


source to share


3 answers


It's like you want a moderation system for user generated content, not a technical solution. Obviously, you can check the referrer field, scrub the content and try to filter out the layman, but the enumerated maliciousness never works. (This may be an acceptable "first pass", but people are infinitely resourceful in avoiding such filters.)

Place the content submitted by the user into the queue and the moderators will review and approve the content. To ease the download, you can set Trusted Users to "pre-approved", but you said your client couldn't take any risk.



To be honest, I believe that this is not possible: even with the help of moderators, there is a risk that the moderator will destroy your system. If this is indeed the case (that they have zero risk tolerance), then I suggest that they not accept any user input, not trust the moderators, and actually exclude the site itself (because an insider might be an outcast and post something inappropriate). Obviously, every act has a risk; you need to figure out how much they can accept, like the moderator approval queue.

+1


source


I'm not sure I fully understand your question, but I'll do my best to give you a basic answer.

Cross-site scripting (XSS) usually happens when someone else puts HTML into your forms. Your site allows this to happen because it doesn't elude HTML. If you are using PHP, you probably want to use the htmlentities ($ str, ENT_QUOTES) function.



htmlentities($str, ENT_QUOTES)

PHP htmlentities

0


source


My attempt

...
<?
$form_token = "";
$token = "";
$encoded_token = "";
$salt = "ThiséèÞ....$Γ–yiΓ¬eéèÞ";  //it is 70 characters long
...
...
$blnGoodToken = false;
...
...
//Check for the encoded token
session_start();
$encoded_token = GetSuper('POST', 'TOKEN');
if (isset($_SESSION['TOKEN'])) {
    if (sha1($_SESSION['TOKEN'] + $salt) === $encoded_token) {
        $blnGoodToken = true;
        //echo "Good Token";
        }
    else {
        //echo "Bad Token";
        $blnGoodToken = false;
        unset($_SESSION);
        session_unset();
        session_destroy();
        session_start();
        }
    }
else {
    $blnDoit = false;
    echo "No Token, possible no session";
    }

$token = uniqid(rand(), TRUE);
$_SESSION['TOKEN'] = $token;
$form_token = sha1($token + $salt);
...
...
?>
...
...
<form action="request.php?doit=y" method="post">
    <input type="text" name="TOKEN" id="TOKEN" value="<?=$form_token?>" />
    <!--
    form stuff
    -->
    <input type="reset"  value="Clear" />
    <input type="submit" value="Submit" />
</form>

Since I don't use sessions anywhere else on the site, I don't think we are highly susceptible to session hijacking. The token changes every load and gets a token according to the session you need to know.

  • I am using SHA. Easy guess to do in my php code
  • I keep it in session. I assume the session is receivable
  • My salt. I think this is a good secret. If they know my salt, they already belong to my server
0


source






More articles:


All Articles