Created
July 3, 2019 03:48
-
-
Save mhef/2f65e02ee5e6fd12fb4893cb666f7499 to your computer and use it in GitHub Desktop.
$_SERVER security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. All elements of the $_SERVER array whose keys begin with 'HTTP_' come from HTTP request headers and are not to be trusted. | |
| 2. All HTTP headers sent to the script are made available through the $_SERVER array, with names prefixed by 'HTTP_'. | |
| 3. $_SERVER['PHP_SELF'] is dangerous if misused. If login.php/nearly_arbitrary_string is requested, $_SERVER['PHP_SELF'] will contain not just login.php, but the entire login.php/nearly_arbitrary_string. If you've printed $_SERVER['PHP_SELF'] as the value of the action attribute of your form tag without performing HTML encoding, an attacker can perform XSS attacks by offering users a link to your site such as this: | |
| <a href='http://www.example.com/login.php/"><script type="text/javascript">...</script><span a="'>Example.com</a> | |
| The javascript block would define an event handler function and bind it to the form's submit event. This event handler would load via an <img> tag an external file, with the submitted username and password as parameters. | |
| Use $_SERVER['SCRIPT_NAME'] instead of $_SERVER['PHP_SELF']. HTML encode every string sent to the browser that should not be interpreted as HTML, unless you are absolutely certain that it cannot contain anything that the browser can interpret as HTML. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment