News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Brandon Savage's Blog:
An XSS Vulerability In The Making
March 07, 2012 @ 12:02:46

Brandon Savage has a new post to his blog about what he calls a XSS vulnerability in the making, something to watch out for when you're doing validation in PHP involving the possibility of numbers as strings.

Back in September, Socorro received a security bug relating to the method we were using for processing inputs for the duration of certain reports. The vulnerability included a proof of concept, with an alert box popping up on production when the link was followed. [...] I was quite surprised at the root cause of the vulnerability. We had opted to compare the incoming data against a known set of valid values - a common practice when whitelisting certain inputs. [...] As expected, when this [example] code is tested, a string of '3' and an integer of 3 work equally well, and a string of '5' and an integer of 5 fail equally.

This automatic casting that PHP does internally caused another issue as well - if the string passed in even started with a valid number from their whitelist set, it still passed.

At first we thought this surely had to be a bug in PHP. However, Laura Thomson told me "If comparing two values, type juggling is performed first, which means that the string is converted to a number. This is done by taking the first number found in the string. So this may be confusing/a quirk/a gotcha, but it isn't a bug." And she's right: this isn't a bug per se, but it's certainly an interesting "gotcha."
0 comments voice your opinion now!
crosssitescripting xss type juggling string conversion internal


blog comments powered by Disqus

Similar Posts

Secunia.com: PHPChain Two Cross-Site Scripting Vulnerabilities

Refulz.com: The __toString() Method - Objects as Strings

DeveloperDrive.com: What Web Developers Need to Know About Cross-Site Scripting

Gareth Heyes' Blog: PHP self return of the slash

WebCheatSheet.com: Secure File Upload with PHP


Community Events

Don't see your event here?
Let us know!


conference interview community library symfony2 application podcast opinion language api install series introduction release framework performance laravel php7 configure example

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework