XSS Problem

[roldahayes]

Hey,

 

Having a nightmare at the moment with trying to iron out security bugs in a shopping basket to make it pass a security scan.

 

One of the errors that comes back is the possible chance of Cross Site Scripting (XXS)

 

Basically, when the "buy" button is clicked, the browsers url has "%2F" inserted into it, and this is causing the problem.

 

After doing some research into it, it seems I need to add a function that removes that part?

 

The URL that displays when click the button is as follows.

 

http://wwwmysite.com/basket.php?src=%2Fpage-title.php&productID=1061011

 

[JonnoTheDev]

Why not set the form action to POST instead of using GET.

To remove the encoding though you would use urldecode() on the value.

[roldahayes]

Not quite sure what you mean by that...

 

The code for the buy button is;

 

<?php

//the folowing lines contain the code that should be used with each link that you want to create change the values of $strProd_REF $strCar_ID as you need to
//--------------'LINK CODE'---------------------
$strProd_REF = "1234";
$strCar_ID = "all";

$sqlSelect = "SELECT Prod_ID FROM products WHERE Prod_REF = '" . $strProd_REF . "' AND Car_ID = '" . $strCar_ID . "'

";

// assign the basic sqlquery


$sqlquery = $sqlSelect;



//get the result set




$result = mysql_query($sqlquery);







while ($row = mysql_fetch_assoc($result))







{







	echo "<a href=\"basket.php?src=".urlencode($_SERVER['REQUEST_URI'])."&productID=" . $row["Prod_ID"] . "\"><img src=images/addtobasket.jpg width=55 height=28 border=0></a>";







//end make while







}



$row = "";



mysql_free_result($result); 







//--------------'END LINK CODE'---------------------






?>

[JonnoTheDev]

What I a saying is use a form to add a product to the basket rather than using an href.

Add the parameters you need to hidden fields

<form method="post" action="basket.php">
<input type="hidden" name="src" value=".$_SERVER['REQUEST_URI']." />
<input type="hidden" name="productID" value=".$row["Prod_ID"]." />
<input type="submit" name="submit" value="add to basket" />
</form>

 

You do not need to encode or decode anything

[JonnoTheDev]

Also why would you do this?

$sqlquery = $sqlSelect;

 

Why assign the value of a variable to another variable meaning you have 2 variables in memory space containing the same string. Pointless and inefficient.

[roldahayes]

Ok, that makes sense but we have thousands of products on the site so I would have to change all of the buy buttons?

 

Maybe I should look at a different angle on this...

 

The security error is actually showing up from the basket page. the link for the continue shopping button is

 

<?php echo $_SESSION['returnTo']; ?>

 

and it is that thats causing the problem... because when it returns to the previous page, it has the %2F in it...

[JonnoTheDev]

Ok, that makes sense but we have thousands of products on the site so I would have to change all of the buy buttons?

 

Surely you have a database and only 2 files to edit.

The product detail page where you can edit the add to basket button.

 

Displaying a list of products is done with a loop. Simply edit the contents of the loop to include a form for each product. Please tell me you have not hand coded each product add to basket button.

 

Also if you are trying to redirect the user back to the referring page you should not be passing the script name through the url as a parameter. You should implement a tracker that stores the url in a session on each page load. You can then use this to redirect a user. This method could then be used to track users throughout your site. I would want to know what direction a user took on my site to buy a product, i.e which pages are performing best also if a users tracking stops at the product info screen then I may think about updaing it a little, maybe the photos are no good or the product information is poor. This is essential information with online shops.