PHP_SELF and XSS
To make it safe to use you need to use htmlspecialchars()
.
<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8"); ?>
See A XSS Vulnerability in Almost Every PHP Form I’ve Ever Written for how $_SERVER["PHP_SELF"]
can be attacked.
PHP XSS command when using $_SERVER['PHP_SELF']
This even works when the web address is nonexistent. Shouldn't that person get an error page of some kind saying that the website cannot be found? Just like when we accidentally type in a wrong address and got nothing?
Not if the web server is configured to allow extra data after the script path. In Apache, this is configured by the AcceptPathInfo Directive.
Even though it works, how is anyone else besides the "hacker" himself affected if the change is not saved on the php file on the server? I mean it is the hacker who manually typed in the malicious code, and it is his browser that would download the affected web page.
An XSS attack would require the attacker to get the target to visit this URL, so that the malicious payload would run in the target's browser. One way to do this would be to trick the target into clicking a malicious link.
PHP_SELF and XSS
If you’re using AcceptPathInfo
or something similar such that a URI like /index.php/foo/bar
is directed to /index.php
, requesting /index.php/%22%E3E…
can get your following data outside the form
tag.
And as for the second question: click here.
PHP_SELF and SCRIPT_NAME - XSS attacks edition
As good practice, you should always protect against any variables from $_SERVER, $_GET, $_POST etc.
$str = filter_var($input, FILTER_SANITIZE_STRING);
A simple way to sanitize a string, or you can use htmlentities. I create a class that I use when returning any variables from $_SERVER, $_GET and $_POST.
$_SERVER['PHP_SELF'] vulnerability not working?
If your form is at form.php
script, try accessing it with an url in the browser like http://yoursite.com/form.php/"><script>alert('XSS')</script>
to see if it is vulnerable to injection.
If it doesn't do anything, your configuration prevents this, at least for this specific file.
(Of course, you should use something like htmlspecialchars($_SERVER['SCRIPT_NAME'])
anyway.)
is calling $_SERVER[PHP_SELF](keeping whole php code in html) , a good way of coding?
All <?php ... ?>
code never leaves your server - it is parsed by PHP interpreter into raw HTML, so end user won't see anything server-related.
What is the reason of $_SERVER[PHP_SELF]
You shouldn't use $_SERVER["PHP_SELF"]
in that way for security reasons. This is because you print the complete path including all parameters to your site and you have a XSS problem.
If you want to send your form to the same site you can very simple use the #
.
<form action="#" method="post">
Or type in the complete filename that prevents to add all parameters to your website.
PHP_SELF and XSS
Here is another Post how to secure that part.
How to protect against this type of attack?
I was using $_SERVER['PHP_SELF']
in an href
tag, so that's where the JavaScript was triggered.
The solution is simple. I run PHP_SELF
through a filter before using, and any passed garbage is cleaned and safe to use on the page.
Using $_SERVER['PHP_SELF']; vs htmlentities($_SERVER['PHP_SELF']); for canonical link on https
The problem: The user can control the content of $_SERVER['PHP_SELF']
Let say your code is in index.php
So when you call https://www.yourserver.com/index.php your code will worked as expacted. But index.php will also called when someone will call
http://localhost/phpinfo.php/%22/%3E%3Cscript%3Ealert('Hello');%3C/script%3E%3Cbr
The part /%22/%3E%3Cscript%3Ealert('Hello');%3C/script%3E%3Cbr is called PATHINFO
When you try it, you will see that some javascript will also executed.
Some evil user can generate such a link with any javascript in it and send it by email to his victim in the hope he will click on it, his javascript will be execute on the victim browser. So may be he can steal the session id from that user and capture his session
Related Topics
How to Validate an Email Address in PHP
How to Get a File'S Extension in PHP
Simplest PHP Example For Retrieving User_Timeline With Twitter API Version 1.1
Allowed Memory Size of 33554432 Bytes Exhausted (Tried to Allocate 43148176 Bytes) in PHP
Why Would $_Files Be Empty When Uploading Files to PHP
Finding the Number of Days Between Two Dates
How to Make a Request Using Http Basic Authentication With PHP Curl
How to Call a JavaScript Function from PHP
Extract a Single (Unsigned) Integer from a String
In PHP, What Is a Closure and Why Does It Use the "Use" Identifier
Escaping Quotation Marks in PHP
Angularjs Http Post to PHP and Undefined
Search Form With One or More (Multiple) Parameters
How to Get a Substring Between Two Strings in PHP