Exercise XSS – Mitigation in php chat
1. Introduction
Please exploit an extremly vulnerable chat application (XSS) and later, fix the vulnerability in the source code of the php program.
2. Tasks
play around with the chat 🙂
- enter html codes and observe „Your Message“
- enter java script and observe „Your Message“
- open Theia and fix the vulnerable chat in Theia Web IDE
Your report should also include the following things:
- please explain the vulnerability
- please explain how you fix the problem in chat.php
- what if you could not fix the source code?
3. Answers and Solution
XSS is a command injection of the client side, like the other user pointed out, it can result in any action that can be performed by the user. Mostly XSS is used for session hijacking where the attacker using javascript makes the victim transmit session cookies to an attacker-controlled server and from there the attacker can perform „session riding“.
–> See BeEF Attack Exercise
But XSS can also result in complete application takeover. Consider a scenario in which you inject javascript and it gets stored. The admin then loads that into a web browser (usually logs or CMS). If an XSS is present there you now have the admin session tokens. That is why XSS can be very dangerous.
3.1 Testing
- try with
html tags
Output:
3.2 try alert popup with js code
4. Fix Vulnerable Chat Service
Use the php filter santitize_string to prevent XSS input.
Reference: https://www.php.net/manual/de/filter.filters.sanitize.ph
/* Prevent XSS input */
$_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
/* I prefer not to use $_REQUEST...but for those who do: */
$_REQUEST = (array)$_POST + (array)$_GET + (array)$_REQUEST;
4.1 Testing the fix
Fix seems to work:
