XSS Filtering / Cross Site Scripting protection with Low GoogleSearch
Is there a way to ensure protection against cross site scripting (XSS filtering) with Low GoogleSearch? Currently, for example, if I submit a search (using the input field of a Low GoogleSearch field) and I enter "< script > test < / script >" the form still submits. Whereas this should be filtered out and return an error instead or something along those lines.
This has been identified by a white hat security consultant as a serious vulnerability for us to address on our site, so I'm really hoping to get some help to resolve this as I love the add-on and it's crucial to our site.
Replies
Low 7 Nov 2014 18:27
Is just being able to submit script-tags a vulnerability, even if the keywords are turned to entities when displayed? That seems strange to me.
Terry Evans 7 Nov 2014 18:49
Hi Low,
Appreciate the quick response. Apparently yes, it is. This is a pretty hard core consultant as the site is for a MAJOR global brand. I would mention who the brand is here but I don't want to trigger any compromises. Here's some info we got from our web host regarding the issue:
Issues relating to XSS is an issue pertaining to field input along with $_REQUEST sanitation within the coding of the site. We do have modsecurity enabled for your site which can assist in blocking known malicious requests based on a dictionary of regex's that are used to search the URL, however threats that are not known or pass the tests may still causes issues for the site. What should be done is to ensure that all inputs on pages be sanitized before any process is run. Fields such as the search field and others can be the primary location for these types of attacks that can cause scripts from other locations to be included on your page. You can see this with your search field, using the input of the search field in the source of the search results page:
You searched for "<script type='text/javascript'>alert{hello);</script>"
Results 0 – 0 of about 0.
This could cause someone to properly escape the input, including remote javascript resources to cause issues for your site. The use of http://php.net/manual/en/function.htm... and http://php.net/manual/en/mysqli.real-... can help assist with such sanitation of REQUEST variables sent to your site.
Thanks
Terry
Low 7 Nov 2014 18:58
As suggested, the keywords are already passed through htmlspecialchars() before they are put in the template, so there shouldn't be any danger there that I'm aware of.
If need be, adding a strip_tags() to the submitted keywords is easy.
Terry Evans 7 Nov 2014 19:19
Hi Low,
I totally get what you're saying and appreciate that you, of all developers, would have the experience to build your add-on with all the necessary security. But I digress, these guys are sticklers.
These guys have "scan" software they run on the site and, currently, all pages with the Low GoogleSearch form on them are failing; at this point I'm guessing it's because the script tags are not stripped. If we added those, it might be the first step to hopefully "passing" their scan.
Would you be able to do that?
Thanks!
Terry
Low 7 Nov 2014 19:34
Absolutely. I can send you a version of the mod-file that will strip out script-tags or just flat out throw an error if the keywords contain any. Just send me an email at hi at gotolow dot com.
Terry Evans 8 Nov 2014 00:08
Email sent. Thanks!