News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Brandon Savage's Blog:
An XSS Vulerability In The Making
March 07, 2012 @ 12:02:46

Brandon Savage has a new post to his blog about what he calls a XSS vulnerability in the making, something to watch out for when you're doing validation in PHP involving the possibility of numbers as strings.

Back in September, Socorro received a security bug relating to the method we were using for processing inputs for the duration of certain reports. The vulnerability included a proof of concept, with an alert box popping up on production when the link was followed. [...] I was quite surprised at the root cause of the vulnerability. We had opted to compare the incoming data against a known set of valid values - a common practice when whitelisting certain inputs. [...] As expected, when this [example] code is tested, a string of '3' and an integer of 3 work equally well, and a string of '5' and an integer of 5 fail equally.

This automatic casting that PHP does internally caused another issue as well - if the string passed in even started with a valid number from their whitelist set, it still passed.

At first we thought this surely had to be a bug in PHP. However, Laura Thomson told me "If comparing two values, type juggling is performed first, which means that the string is converted to a number. This is done by taking the first number found in the string. So this may be confusing/a quirk/a gotcha, but it isn't a bug." And she's right: this isn't a bug per se, but it's certainly an interesting "gotcha."
0 comments voice your opinion now!
crosssitescripting xss type juggling string conversion internal


blog comments powered by Disqus

Similar Posts

Etienne Kneuss' Blog: Dataflow Type Analysis for PHP

Mrinmoy Ghoshal's Blog: Concept of Strings:PHP

Acunetix.com: Web Site Security Center

Tobias Schlitt's Blog: PHP Documentor for VIM documented

PHPMaster.com: An Introduction to Ctype Functions


Community Events





Don't see your event here?
Let us know!


community opinion deployment symfony package series bugfix voicesoftheelephpant release podcast introduction install api list laravel library interview framework language tips

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework