PHP Classes

Flawed by design.

Recommend this page to a friend!

      dXSS  >  All threads  >  Flawed by design.  >  (Un) Subscribe thread alerts  
Subject:Flawed by design.
Summary:Package rating comment
Messages:5
Author:Artur Graniszewski
Date:2010-08-12 09:53:00
Update:2010-08-13 13:00:40
 

Artur Graniszewski rated this package as follows:

Utility: Insufficient
Consistency: Sufficient
Documentation: Sufficient

  1. Flawed by design.   Reply   Report abuse  
Picture of Artur Graniszewski Artur Graniszewski - 2010-08-12 09:53:00
Flawed by design. This list of dangerous words is rather short. Also there is no way to send through the class some basic english sentences containing ' character, for example: "This isn't important".

Also, there are many many ways for the hacker to fool this class, for example using simple UNION verb (SQL injection).

  2. Re: Flawed by design.   Reply   Report abuse  
Picture of Artur Graniszewski Artur Graniszewski - 2010-08-12 09:55:00 - In reply to message 1 from Artur Graniszewski
Flawed by design. This list of dangerous words is rather short. Also there is no way to send through the class some basic english sentences containing ' character, for example: "This isn't important".

Also, there are many many ways for the hacker to fool this class, for example using simple "OR" verb (SQL injection).

  3. Re: Flawed by design.   Reply   Report abuse  
Picture of Francisco López Francisco López - 2010-08-13 06:47:57 - In reply to message 1 from Artur Graniszewski
Hello,

The class filters GET parameters. Do you really think it necessary to send GET a sentence as "This isn't important?

¿http://www.domain.com?Id=This isn't important? ¿Really?

To use UNION, you need another statement as SELECT, INSERT, UPDATE, ... prohibited. In addition, the class also allows filtering by length. Allowing, for example, only three characters for variable, which would not even pass the UNION statement.

The class is a simple way to add a layer of security but should not be the only one.

I think you should be more careful when making your criticisms.

Greetings.

  4. Re: Flawed by design.   Reply   Report abuse  
Picture of Artur Graniszewski Artur Graniszewski - 2010-08-13 07:35:47 - In reply to message 3 from Francisco López
Is that so? Even the simpliest website search engines use GET requests (not to mention google.com), because its easy to send search results as an URL to other person (for example by a copy->paste method).

This class gives some non-pro developers false hopes that it will help them secure their websites, while in fact it will hinder their functionality. By the way, XSS can be used in many different ways, which will fool this class. See the examples:

ha.ckers.org/xss.html
cgisecurity.com/xss-faq.html

  5. Re: Flawed by design.   Reply   Report abuse  
Picture of Artur Graniszewski Artur Graniszewski - 2010-08-13 13:00:40 - In reply to message 4 from Artur Graniszewski
btw. The major design flaw is that using this class changes almost nothing.

Even if hacker will be caught with this filter, then what? You send him only a new redirection header: "location: <new url>" but you've forgot to abort current request.

The result: hacker will succesfully execute SQL/XSS injection (any injection, even SELECT, INSERT, etc defined in your word list), because PHP will continue current request and execute business logic defined after your XSS class. There will be only one little difference: after _succesfull_attack_ hacker will be redirected to new url defined in your class.

Secondly: if you use eregi (which is now obsolete - you should check preg_match) to pass only alphanumeric words (with _ character), then why do you use parenthesis other nonalphanumeric characters in your words dictionary?