Share on :
Stored XSS and also knows as Persistent XSS is a cross-site scripting attack that involves storing the attack vector improperly (without sufficient filtering) in database and later the app delivers the attack vector to victims that will visit the exploited page
High
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = stripslashes( $message );
$message = mysql_real_escape_string( $message );
// Sanitize name input
$message = stripslashes( $message );
$name = mysql_real_escape_string( $name );
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
//mysql_close();
}
POST /dvwa/vulnerabilities/xss_s/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
txtName=John+Doe&mtxMessage=This+is+a+normal+message+&btnSign=Sign+Guestbook
HTTP/1.1 200 OK
Date: Mon, 09 Jul 2018 14:03:09 GMT
Server: Apache/2
X-Powered-By: PHP/5.6.23
<div id="guestbook_comments">Name: John Doe<br />Message: This is a normal message<br /></div>
In the previous code , it shows how the web app deals with user data before storing it into mysql database , it didn't filter the code from special characters that can cause XSS attack when its delivered to the user without proper filters for example in this case <
, >
so an attacker can now exploit this mistake as below:
<script> ... Evil code ... </script>
POST /dvwa/vulnerabilities/xss_s/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
txtName=Evil_Guy&mtxMessage=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&btnSign=Sign+Guestbook
HTTP/1.1 200 OK
Date: Mon, 09 Jul 2018 14:03:09 GMT
Server: Apache/2
X-Powered-By: PHP/5.6.23
<div id="guestbook_comments">Name: Evil_Guy<br />Message: <script> alert(1) </script> <br /></div>
Fixed code:
as mentioned in (Mitigations)(mitigations.md) we have used the htmlspecialchars() method to escape our input correctly
<?php
if( isset( $_POST[ 'btnSign' ] ) ) {
// Get input
$message = trim( $_POST[ 'mtxMessage' ] );
$name = trim( $_POST[ 'txtName' ] );
// Sanitize message input
$message = stripslashes( $message );
$message = mysql_real_escape_string( $message );
$message = htmlspecialchars( $message );
// Sanitize name input
$message = stripslashes( $message );
$name = mysql_real_escape_string( $name );
$name = htmlspecialchars( $name );
// Update database
$query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
$result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' );
//mysql_close();
}