XSS Insertion Prevention

[John]

In PHP you can initializes a connection with cURL: PHP: curl_init - Manual

If the connection is successful, it will return true - else it will return false.

[twalters84]

Hey there,

I believe I may have the correct code for a solution for URL validation.

The output below is correct:

Page Found

Page Not Found

Domain Not Found

However, sometimes there is no output. For instance, check the following:

No Output

I am just wondering why there is no output for this site?

Here is my PHP code for the URL validation checker:

Code:

<?php

  $ch = curl_init();

  curl_setopt($ch, CURLOPT_URL, $_GET['url']);
  curl_setopt($ch, CURLOPT_HEADER, true);
  curl_setopt($ch, CURLOPT_NOBODY, true);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
  curl_setopt($ch, CURLOPT_MAXREDIRS, 10);

  $data = curl_exec($ch);

  curl_close($ch);

  preg_match_all("/HTTP\/1\.[1|0]\s(\d{3})/",$data,$matches);

  $code = end($matches[1]);

  if(!$data) 
  {
      echo "Domain Not Found";
  } 
  else 
  {
    if($code==200) 
    {
      echo "Page Found";
    } 
    elseif($code==404) 
    {
      echo "Page Not Found";
    }
  } 

?>

This was a modification of the code on the following site:

URL Validation Code Reference

Thanks again for any advice. You guys are great!

Sincerely,
Travis Walters
admin@codebuyers.com

[John]

Probably because $data exists, and $code != 200 || $code != 404

[TcM]

Because the website is replying with a 403 code!

Look here:
Ben's HTTP header viewer

HTTP Headers received for / on server www.toasterleavings.com

HTTP/1.1 403 Forbidden
Date: Mon, 14 Jan 2008 06:03:07 GMT
Server: Apache/2.0.52
Accept-Ranges: bytes
Content-Length: 5044
Connection: close
Content-Type: text/html

Maybe that is the problem.

[twalters84]

Hello again,

Thanks for the great responses guys.

My webpages are now only displaying links that are valid!

However, I have been reading about another type of attack people use to hack websites. It is called SQL Injection.

It appears that hackers manipulate the URL string in an attempt to manipulate query strings to the database.

Would htmlspecialchars() and / or htmlentities() take care of the SQL Injection attack type?

Lastly, besides SQL Injection and Cross site scripting (XSS), are there are other types of attacks that I should be taking into consideration to make my website more secure?

Thanks in advance for anymore information you can provide me with. It is truly greatly appreciated.

Sincerely,
Travis Walters
admin@codebuyers.com

[TcM]

Well there are and always will be other methods. Anyways for the SQL injections why not reading this:PHP: SQL Injections

It might help you to understand better.

[John]

Yeah, I spent a lot of time writing the information in that link above, it should do a good job explaining what it is and how to prevent yourself from an attack.

The other big security risk to keep in mind are Remote File Injections (RFI). Unfortunately, I know nothing about them.

[twalters84]

Hey there,

That was a great article you had.

I will definately look at that anytime I do anything with PHP.

I am a hardcore coldfusion programmer so I have spent a few hours looking into coldfusion SQL injection prevention.

I learned a lot reading Ben Forta's article below:

Ben Forta's SQL Injection Prevention Article for Coldfusion

Code:

  <cfquery name="END_USER" datasource="DSN_NAME">
  SELECT ID, USERNAME, PASSWORD, TYPE_ID
  FROM MEMBERS 
  WHERE USERNAME = 
  <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#FORM.USERNAME#">
  AND PASSWORD = 
  <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#FORM.PASSWORD#">
  </cfquery>

According to his article, he recommends using cfqueryparam and that was something I was already doing for the most part.

However, something I was not doing was including the type attribute with cfparam. For example, the following might be done towards the beginning of a page:

<cfparam name="URL.CustID" type="integer">

I will have to spend a few hours and make sure everything is secure with this but I am close already.

Then, I will look into that other type of attack you mentioned.

Thanks again for the help. You guys are great. I am sure I will add to this thread later on if I find anything else related to it.

Sincerely,
Travis Walters
admin@codebuyers.com

[twalters84]

Hey guys,

I have been looking into remote file injections like you mentioned.

I came across the following information:

3. Malicious file execution

The problem: Hackers can perform remote code execution, remote installation of rootkits, or completely compromise a system. Any type of Web application is vulnerable if it accepts filenames or files from users. The vulnerability may be most common with PHP, a widely used scripting language for Web development.

Real-world example: A teenage programmer discovered in 2002 that Guess.com was vulnerable to attacks that could steal more than 200,000 customer records from the Guess database, including names, credit card numbers and expiration dates. Guess agreed to upgrade its information security the next year after being investigated by the Federal Trade Commission.

How to protect users: Don't use input supplied by users in any filename for server-based resources, such as images and script inclusions. Set firewall rules to prevent new connections to external Web sites and internal systems.

Source: Top 10 Reasons Websites Get Hacked

I never allow executable files to be uploading to my website unless it is in a ZIP folder. In fact, I have the majority of files in a ZIP folder except images.

I am wondering if people can inject special characters into the name of a JPEG image much like the SQL Injection or XSS Insertion?

On my windows machine, it does allow the characters { /,\, :, *, ?, ", <, >, | }. However, I am not sure about Linux or MAC.

I guess the solution here regardless is to rename files randomly among uploading them.

Sincerely,
Travis Walters

[John]

Keep in mind, files can be spoofed. Just because it is a jpg, doesn't mean its not an executable.