News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Brandon Savage's Blog:
An XSS Vulerability In The Making
March 07, 2012 @ 12:02:46

Brandon Savage has a new post to his blog about what he calls a XSS vulnerability in the making, something to watch out for when you're doing validation in PHP involving the possibility of numbers as strings.

Back in September, Socorro received a security bug relating to the method we were using for processing inputs for the duration of certain reports. The vulnerability included a proof of concept, with an alert box popping up on production when the link was followed. [...] I was quite surprised at the root cause of the vulnerability. We had opted to compare the incoming data against a known set of valid values - a common practice when whitelisting certain inputs. [...] As expected, when this [example] code is tested, a string of '3' and an integer of 3 work equally well, and a string of '5' and an integer of 5 fail equally.

This automatic casting that PHP does internally caused another issue as well - if the string passed in even started with a valid number from their whitelist set, it still passed.

At first we thought this surely had to be a bug in PHP. However, Laura Thomson told me "If comparing two values, type juggling is performed first, which means that the string is converted to a number. This is done by taking the first number found in the string. So this may be confusing/a quirk/a gotcha, but it isn't a bug." And she's right: this isn't a bug per se, but it's certainly an interesting "gotcha."
0 comments voice your opinion now!
crosssitescripting xss type juggling string conversion internal


blog comments powered by Disqus

Similar Posts

Tobias Schlitt's Blog: PHP Documentor for VIM documented

Court Ewing's Blog: Forget Concatenation; Format your strings!

Secubos.com: Cross-Site Scripting Vulnerability in phpFaber

Sara Golemon's Blog: PHP6: News from the front...

Community News: Lead PEAR Developer Changes Focus


Community Events





Don't see your event here?
Let us know!


threedevsandamaybe conference framework language unittest voicesoftheelephpant composer series configure release opinion symfony introduction community interview api list laravel podcast version

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework