testing for html/script injection and getting kicked from a server - code-injection

In researching an idea I came across a good YouTube video on security (with nodejs) which covered a lot more than the usual SQL injection. One such was simple script and html injection through html encoding. javascript buffers etc.
In researching this for a project I'm working on I came across this script from the php.net documentation website:
<?php
if ($_POST) {
echo '<pre>';
echo htmlspecialchars(print_r($_POST, true));
echo '</pre>';
}
?>
<form action="" method="post">
Name: <input type="text" name="personal[name]" /><br />
Email: <input type="text" name="personal[email]" /><br />
Beer: <br />
<select multiple name="beer[]">
<option value="warthog">Warthog</option>
<option value="guinness">Guinness</option>
<option value="stuttgarter">Stuttgarter Schwabenbräu</option>
</select><br />
<input type="submit" value="submit me!" />
</form>
Looking at the code, I believed the html injection was safe and as I didn't have somewhere to test this script out, I just uploaded it to a hosting domain I have and played with it remotely. When I tried a basic alert injection:
<script>alert("test");</script>
I got an error from the server (a 403 Forbidden). I thought I malformed the html so I tried some minor variations and before I knew it I was banned from my server :D (I was able to reset it, that's not the concern).
Tonight I deployed a VM with apache and php and started playing with it, and when I used the same code, I actually saw what I'd originally expected to see. The array output is presented as expected because of the htmlspecialchars.
Array
(
[personal] => Array
(
[name] => <b>bold</bold>
[email] => <script>alert("test");</script>
)
[beer] => Array
(
[0] => stuttgarter
)
)
What I'd like to know is:
1. Does the browser do some manipulation that nullifies the script tags since there's nothing in the form that does that? My guess is that nothing is an issue until it's attempted to be parsed by the page on form submission. Correct?
2. When I ran it locally the output was as expected (ie, no alert box and correct parsing) which infers that the values are somewhat "safe" until php attempts to parse them via the print_r. If I remove the htmlspecialchars the page fails to load ERR_BLOCKED_BY_XSS_AUDITOR (so that's good). If the original page never parses the raw code, why would the remote server ban my IP if it's correctly escaped within the output code? Again, I'm guessing, but would it be the host is just preemptively trying to prevent attacks and processing all $_POST vars for XSS?

Related

HTML Form Automation Using Ampersand (&) and Dollar Sign ($) Characters

So I am trying to automate a basic HTML form I fill out a few times each day. I am trying to open the web browser with the form completely filled out. This is often a simple task, as the & character followed by the name of the form element and a value, usually works. Where this becomes tricky is that my form elements have a placeholder that uses the $ character in its name. The code is shown below:
<input name="username" type="text" />
<input name="ctl00$ContentPlaceHolder1$PasswordTextBox" type="password"
id="ctl00_ContentPlaceHolder1_PasswordTextBox" />
<input name="submit" type="submit" value="Click" />
If you look at the name of the password tag you will see the use of the $ character twice. Normally I could just type my URL into Chrome like the folowing:
wwww.theWebSite.html&username=myName&ctl00$ContentPlaceHolder1$PasswordTextBox=myPassword
&submit=Click
The above code would normally work but it doesn't in this case. I don't know why I am getting the error but I think it is due to the use of the $ character. All I am trying to do is load my page into the browser with the above form completely filled out. Any ideas?

PHP7: Form Entries submitting with $_POST doesn't work - $_GET is ok

I am new to Stackoverflow, but I already have a simple problem where I need your help.
I have a simple form, where the user has to submit his first and last name:
<form action="u_eingabe.php" method="post"> <!--enctype="application/x-www-form-urlencoded"-->
<p>First name: <input name="firstname" id="vor"/></p>
<p>Last name: <input name="lastname" id="nach"/></p>
<p><input type="submit" /></p>
The u_eingabe.php contains the following simple code for getting the first and last name:
<?php
echo "Ihre Adresse lautet:" . "<br />";
echo $_POST['firstname'] . " " . $_POST['lastname'] . "<br />";
?>
On PHP5 there is no problem. It just transmits and displays the data. But on PHP 7.0.3 it doesn't show anything and throws the warnings, that the indexes are empty. (Notice: Undefined index: firstname)
The interesting thing is: if i switch to GET as method, everything is fine and it submits and displays the first and last name.
So has everything changed due to PHP7 for post method? Google didn't help out for this problem.
As i mentioned above, it works fine with php5. I didn't mention I use PHPStorm 10.0.3. I continued searching with google and found this:
https://intellij-support.jetbrains.com/hc/en-us/community/posts/206999125-PhPStorm-10-does-not-allow-POST-method
It seems to be an issue in PHPStorm 10.0.2 and higher that POST-Requests are empty in the phpstorm built-in webserver.

The right way to fill and test a web form in ScalaTest and FluentLenium

I'm trying to fill, submit, and test a web form in Play Framework, using ScalaTest and FluentLenium. It seems like it should be very straightforward, but I'm having all kinds of problems.
First, part of the web form in question:
<form class="signin" id="loginform" method="POST" action="/login">
<div class="form-group">
<label for="name">Email Address:</label>
<input type="email" class="form-control" placeholder="Enter Email Address" id="email" name="email" required />
...
This works fine from a real web browser. Now the problem comes when I try to fill in and submit the form:
#RunWith(classOf[JUnitRunner])
#SharedDriver(deleteCookies = false)
#SharedDriver(`type` = SharedDriver.SharedType.PER_CLASS)
class TestWebsiteAuthentication extends Specification {
"Application" should {
"login as an administrative user on the web site" in new WithBrowser with GPAuthenticationTestUtility {
browser.goTo(loginURL)
browser.fill("#email").`with`(prerequisiteAccounts.head.userIdentity) must equalTo(OK)
...
At that last line, I get an exception:
[info] x login as an administrative user on the web site
[error] 'org.fluentlenium.core.action.FillConstructor#1c25c183' is not equal to '200' (TestWebsiteAuthentication.scala:93)
[error] Expected: 200
[error] Actual: org.fluentlenium.core.action.FillConstructor#1c25c183
Any ideas what I'm doing wrong here?
I've tried taking out the "must equalTo(OK)" but this just causes the form to fail on submit -- unfortunately, I haven't been able to find ANY documentation on how to do this, so I'm basically piecing it together bit by bit. Pointers to relevant documentation would be appreciated -- there doesn't seem to be anything complete at Tyrpesafe... just "teasers" that get you started, but no depth. :-(
When you write browser.fill("#email").``with``("x#y.com"), all you're really doing is telling Fluentlenium to edit the template to add a value attribute inside the input tag.
On the other hand, OK is an HTTP status code, so comparing them will naturally yield false.
When you say you tried to submit the form and it failed, i am assuming you did something such as:
browser.fill("#email").`with`("x#y.com")
browser.fill("#password").`with`("myPass")
browser.click("#button") // this should submit the form and load the page after login
and then tried to make an assertion such as:
browser.title() must equalTo("next page") // fails because "next page" != "login page"
one suggestion is to try something like this, Before browser.click:
browser.pageSource() must contain("xyz") // this will fail
When the above assertion fails, it will print the content of browser.pageSource() to your terminal, and you'll be able to see the modifications the Fill function did to the HTML.
In my case, I observed that my pageSource() now contained the following:
<input type="text" id="email" name="email" value="x#y.com"/>
<input type="password" id="password" name="password"/>
Notice how the first input has a value="x#y.com", but the second input is still empty. It turns out the second one is empty because it is an input of type password, however I eventually made the form login work.
Here is a list of things you can look into:
have a database enabled in that Spec
have it populated with Users (in case your form validation connects to a DB, that is)
from what I have experienced, using browser.goTo more than once in a test will not work well with form submission (anyone can confirm?)
Hope this helps

ValidForm Builder file type validation

Does anybody know how to validate the file type input.
I have modified (hard coded) the class.vf_file.php input.
$strOutput .= "<input accept=\".pdf,.doc,.docx\" etc----/>\n";
This helps with Google Chrome, but Safari, Firefox ignore the modifications
Preventing users to submit the form if any other type of file is detected would be the ideal solution.
Thank you
I would recommend using a third party file uploading library like Plupload. We always use ValidForm Builder together with Plupload; works like a charm.
However you can use the meta array to implement custom attributes in the <input> tag without having to hardcode anything:
$objForm->addField(
"upload-document",
"Upload Document",
ValidForm::VFORM_FILE,
array(), // Validation array
array(), // Error handling array
array( // Meta array
"fielddata-extensions" => "pdf,doc,docx"
)
);
By prefixing meta keys with the 'field' prefix, you add that specific meta to the <input> field itself instead of it's wrapping <div class='vf__optional'></div>
The above example will output:
<div class="vf__optional">
<label for="upload-image">Upload Image</label>
<input type="hidden" name="MAX_FILE_SIZE" value="2097152">
<input type="file" value="" name="upload-image[]" id="upload-image" class="vf__file" data-extensions="pdf,doc,docx">
</div>
So using a combination of meta and a third party file upload handler, you can actually to pretty cool stuff.
That being said -- I must admit that the file upload field didn't get as much attention as the other field types lately.

Creating a Wordpress Plugin - Form Submission Fails when passed value of 00x00

I am writing a pretty simple plugin. I notice that when I submit a form with a text field with a value that is 2 or more digits followed by an x then followed by two or more digits that the form doesn't submit it redirects me to the index page. I get an apache error log message : [error] [client ::1] script '/Applications/MAMP/htdocs/index.php' not found or unable to stat but that is all of the info I can find.
To narrow down the problem, I made a super basic form that runs in the admin section with only one field. When it is submitted it calls a javascript alert to show the $_POST value. This works all day long UNTIL I enter 00x00 or any digits really with an x between them, 123x123, 999999999x999999999 etc...
In it's intended use this field would have a dimension like 120x120 but for what ever reason the x is causing something weird to happen. Any ideas?
Here is the stripped down basic example, added to an admin menu page
<?php
if(isset($_POST['update'])){
echo '<script type="text/javascript">', 'alert("' . $_POST['image_url'] . '");', '</script>';
}
?>
<form method="post" action="<?php echo htmlspecialchars($_SERVER['REQUEST_URI']);?>">
<input name="image_url" id="image_url" type="text" maxlength="200" value="00x00"/>
<input name="update" type="submit" id="update" value="Submit" />
</form>