09-11-2011 00:00 - Zdroj: php.vrana.cz
I originally wrote this article for Smashing Magazine about a year ago but it hasn't found its way to publishing. However the ideas in the article are still valid so I am publishing it at least on my blog.
Terms like XSS, SQL Injection or CSRF are well known to more experienced web-application developers. The description of these and other attacks is usually easily understandable and the defense against them is straightforward. Unfortunately, there are still lots of things that can be done wrong. This article tries to point on the usual mistakes done while securing the application. The article is written primarily for PHP developers but most concepts are valid also in other programming languages.
Cross-Site Scripting
The defense against XSS is the easiest one, right? Just use htmlspecialchars somewhere and you are safe. Well, not really.
First of all, you also have to specify the page encoding by the charset parameter of Content-Type HTTP header (you can use default_charset configuration in PHP). Otherwise the attacker can trick the user to view the page in UTF-7 encoding (by displaying it inside a frame on own page in this encoding) where safe strings like +ADw-script+AD4- become dangerous. It is important to use encoding containing all characters (UTF-8 in particular, avoid Latin-1) otherwise browsers will send HTML entities for unknown characters filled in the form.
Next, it is vital to escape data just before outputting it to HTML and not on input for three reasons.
You may want to use data in some other context. Then you do not need to unescape it.
You may want to store data from some other application. For example, you will want to fix some typos in a comment through Adminer and you forget to escape some special character by hand. It may result in non-displaying the page if it is send as XHTML.
The most important reason is simple – the escaped data are longer. Therefore, if you want to store data in varchar(20) and a user will input 15 characters with ... -
Pokračovat...
