0

I need to write PHP code in an application in which I have access to the code, because it is a white box.

However, I noticed that they use the following function:

function stripbadchars($str_chain){
    $bad_chars = array("/","\\","\"","'","?","#","+","~","<", ">", "*", "|", ":");

for($i=0;$i<sizeof($bad_chars); $i++){
     $str_chain = str_replace($bad_chars[$i], "", $str_chain);
}
return $str_chain; 
}

When I write in a field of the <?php application, this one, comments to me in the following way: <--?php

And it gives it to me as html. Any way I could do a bypass?

schroeder
  • 123,438
  • 55
  • 284
  • 319
pignitulto
  • 31
  • 5

1 Answers1

1

Basically, this kind of mechanism is known as blacklist validation. Blacklist validation is weaker because a skilled attacker could evade your validation functions or send values that your function did not expect.

There are so many ways to bypass blacklist filters: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

For your block of code, I used an HTML-encoded payload and it worked for me. Reason is your list does not account for this type of payload.

If you want to mitigate the XSS risk, then you should do:

1) White-list validation at server-side

White-listing only passes expected data using a regular expression for validating the data.

2) Contextual-output encoding:

See https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.

EdOverflow
  • 1,246
  • 8
  • 21
Zodiac070495
  • 71
  • 8
  • With the script tag, I already checked that it works. But what I really want, is to make it work with php. Could this work for – pignitulto Dec 27 '18 at 19:28