Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
One of my websites has recently, and is (ongoing) continuously, under attack. A JavaScript script is being inserted into the MySQL database somehow.
I am using the following:
$unsafe_variable = addslashes(htmlspecialchars(strip_tags(mysql_real_escape_string($_POST['user_input']))));
mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");
However, the hacker is still able to insert a "script" tag. I have no idea how. I have a word filter and blacklisted the word "script", which gets blocked when I post a test to the site. How is he/she able to get it through?
The above is a screenshot of the entry into the database. Anyone have any ideas on how I can prevent this?
For a start, JavaScript is code that a user can actually edit using DOM tools (like inspect element) and should never be used as a mechanism to security with Databases.
You should firstly start to research about prepare statements in PDO if you're using un-trusted user input; the bind paramtter in the PDO interface automatically strips the HTML content out of the input.
You can also look at the preg_replace function inside of PHP. This can be used to do more unique and to-the-point strips and allows functionality like BB Code.
There are plenty of resources on stack over-flow which cover the security issues raised in this question and certainly solve each layer attack.
Source 1
Source 2
Also note, the attack you're specifying is an XSS attack used to inject malicious JavaScript code. If you want to allow this code, never directly insert it to a global page (ie: comments that multiple users can see). Only allow the single user to view the code they put in. Otherwise, view the above sources for further information.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 months ago.
Improve this question
I'm fairly new to coding, and when I try to find a way to lock my website behind a username and password field, every tutorial just hides them as a plain variable in some random file. I'm wanting to make the website only accessible once a username and password have been entered, but I want the usernames and passwords to be made and managed by myself, so only people I know can access it. If this is a really obvious thing I apologise, but if it's something that I can specifically look up please let me know so I can do more independent research.
There's no good way to do this on the frontend alone.
every tutorial just hides them as a plain variable in some random file.
Sounds like some pretty shoddy tutorials. Anyone could look at the source code of the site and get in.
The right thing to do would be to:
Hash the passwords (one-way encryption so that the original password text cannot be recovered, even if someone gains access to the hash)
Save the passwords in a database or (if there aren't many) in environment variables on your server
Set up routing on the server so that if the user isn't authenticated, none of the protected content gets sent to them in the first place - redirect them to the login page. (Don't serve the HTML of a protected page and then try to do validation from that page; with that approach, users would still be able to open up the developer tools and bypass your restrictions, by inserting their own code and removing your own).
Anything on the client-side can be tampered with and bypassed; gate requests behind the server instead, which is (or, has the potential to be) much more secure.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 months ago.
Improve this question
Let's say you want to display writing on your website. Maybe it's a blog or a website like a medium or even Stackoverflow. You want users to be able to submit their writing. Format the text (make certain parts bold or italic), insert pictures between texts, and so on.
How would you go about doing this? I think I could figure out hacky ways to do it, but what is the best practice for making that sort of website?
If you're using a headless CMS, wysiwyg editor, markdown editor, ... you'll most probably get HTML back as a string, which you'll need to output.
As you might have noticed, hence you question, you can't just output <div>{html}</div> in your React component. This is because React escapes certain characters to prevent XSS.
In order to display user submitted HTML, you can use https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml. The reason for the weird name is that you will allow users to output unsafe HTML which might execute JavaScript or network requests on your website. This can have huge security consequences. You'll have to run the HTML through a sanitizer, which will strip any HTML attributes that can be used to execute JavaScript and escape characters like React does. Don't attempt to do this yourself, people constantly find new ways to bypass these sanitizers.
Sanitizers you can use:
https://github.com/cure53/DOMPurify
https://github.com/apostrophecms/sanitize-html
Email applications will sometimes use a sandboxed iframe to display raw HTML from emails but for content that's not really an option (SEO).
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I am having a peculiar problem. I am working on an application where we store the html rich content. And then render it in an Iframe. I have multiple questions in this area.
when loading and rendering rich content like this, is there a possibility of XSS attacks? If yes, then what kind of attacks shall these be?
If answer to above question is yes, then how should I prevent it?
Currently we are using JSOP library to strip the html tags from the content and sending it to server for rendering. Is there a way to retain the CSS and style attributes and still have my application secure against XSS attacks in my particular situation? (NOTE: I am just rendering the content; user is not entering any data here; at least not in the whole process; though there might be a possibility that original data at first place has malicious contnet). Effectively is there any other way for me except using whitelist or blacklist (of tags) based solution ?
What I have looked so far are below.
sanitize library : configurable white list based
antisamy: configurable
owasp java html sanitizer: configurable white list based
jsoup library : configurable white list based
owasp: a good reference
encoding: only for user input. I don't think its relevant for my use case here.
content-security-policy: seems like a usable thing along with
jsoup/sanitize like solution
In a nutshell, What I need is CSS and styling to remain the same, rest I can block.
Resources I have gone through are: owasp salesforce this article
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
Okay I know the answer to an all in one data cleaning strategy do not do it. My question is: Are there any standard actions that should be taken to secure form data right off the bat? Asides from doing my own form validation (ie Email, phone, etc).
As of currently this is in relation to a WebApp (HTML, PHP and MYSQL) but I would not say this should be limited to that I want to know best practices. From what I have read the only time anything should be done is when in as a data cleansing step is before a particular action is taken with that data (ie before storing in my database use mysql_real_escape_string).
EDIT:
Asides from SQL injection what are other malicious attacks that can occure from not cleaning data?
First of all, I am assuming you are using MySQLi (PDO is fine as well) and not the deprecated MySQL extension. If not, then you should definitely switch to one of those two.
Before inserting information into the database always make sure you used prepared statements and parametrized queries (see here: How can I prevent SQL injection in PHP?)
As for validating Emails, IP's and other types of data before they are inserted into the database, consider using filter_var() (see here: http://php.net/manual/en/function.filter-var.php)
When pulling information out of your database, make sure you use htmlspecialchars() and strip_tags().
Example: htmlspecialchars(strip_tags($message_body))
Magic Quotes has shown us that every sort of sanitation 'right off the bat' is bad practice. We validate our data when we need it at runtime as different usage requires different validation.
For validation purposes there are nowadays dozens of libraries available such as GUMP and Zend Forms (Further libraries can be found here: Easiest Form validation library for PHP?).
P.S.: You are talking about mysql_real_escape_string. Make sure that you use either PDO or mysqli instead of the nowadays deprecated Original MySQL API. For more information read: Why shouldn't I use mysql_* functions in PHP?.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
What is the best script to use for showing the current visitors or guests Online?
Thanks!
As #Ryan Smith suggested, this greatly depends on the implementation details of the website. I'm sure that there is a off-the-shelf framework offering a storefront application with all the bells and whistles (such as the types of scripts you are mentioning); however, these can range anywhere from being free and open source, or very expensive.
Implementing a script like this yourself isn't very difficult. Assuming that you're keeping track of the users on the website in some form of data store (typically a backend database) you could do something like this:
When the page loads, fire a JavaScript that makes an Ajax request
Have the page that's the target of the Ajax request select a count of the number of rows in the table storing the active users. Return this result.
When the request completes, have the Ajax callback insert the number into the DOM in whatever place you'd like.
You can set this process to repeat at certain intervals so that the pages containing the script are dynamically updated showing a relatively up to date count of the number of users online.
I think it all depends on how your tracking who's online within your application.
Usually, when someone logs-in, you create a session for them that you could iterate through based on whatever language you are using.
You have to keep in mind that HTTP is a stateless environment, so determining when someone is online is largely subjective as to your opinion as to how long ago they logged in.