[nycphp-talk] wonderful presentation on Tuesday
Chris Shiflett
shiflett at php.net
Fri Apr 27 11:31:23 EDT 2007
Thanks for the kind feedback, Susan. I appreciate it.
> How ever can someone inject their code/script onto my webpage?
> The code is on my server so they don't have access to it.
This is possibly a topic that I need to give more attention in the talk,
and I appreciate the constructive criticism.
I don't spend much time demonstrating what mistakes you might make to
allow such things to happen, but in most cases, not doing what I suggest
for remediation is all that's required. In other words, doing nothing is
usually enough of a mistake.
For example, here's a simple example that's likely vulnerable to XSS:
<?php
$html = array();
$html['user'] = htmlentities($_GET['user']);
echo "<p>Welcome back, {$html['user']}.</p>";
?>
If the Content-Type header does not indicate ISO-8859-1 as the character
encoding (which htmlentities() uses by default), an attacker can provide
a UTF-7 encoded payload as the value of $_GET['user'].
Of course, a more obvious mistake is this:
<?php
echo "<p>Welcome back, {$_GET['user']}.</p>";
?>
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
More information about the talk
mailing list