Setup is the same as the previous article. Once the user logs in, there will be a little dashboard where the user can search for some values. Below is the code used to implement the functionality. Vulnerable code: [php]
Well, it seems the script is not getting executed. Let us inspect the error console and see what’s happening.
It is clear from the console that XSS Auditor in Google Chrome is preventing execution of the script. Additionally, it says that it is enabled because there is no X-XSS-Protection or Content-Security-Policy header sent by the server. We can customize this filtering by enabling X-XSS-Protection or Content-Security-Policy headers. Let us first try to disable the protection using the following line. [plain] header(“X-XSS-Protection: 0”); [/plain] After adding the above line of code to our page, the page should look as shown below. [php]
Let us also check the same page in Firefox, which pops up an alert box as expected.
Now, let us change the value of this header to 1 and try again in the browser. [plain] header(“X-XSS-Protection: 1”); [/plain] If you observe the HTTP headers, you can notice that the header has been enabled. HTTP HEADERS: [plain] HTTP/1.1 200 OK Date: Sun, 12 Apr 2015 14:54:42 GMT Server: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0 X-Powered-By: PHP/5.6.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=8dfb86b13ec9750d1f1afdfc004f5042; path=/ X-XSS-Protection: 1 Content-Length: 820 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 [/plain] Well, if we now execute the same vulnerable URL, the script won’t be executed. Let us look at the Chrome’s console and see what happened.
As we can see in the above console, the script is not executed because of the header we sent. [plain] header(“X-XSS-Protection: 1”); [/plain] The above header, when sent with no additional arguments, just stops the script from its execution. We can also add an additional value to this header as shown below. [plain] header(“X-XSS-Protection: 1; mode=block”); [/plain] When this header is sent, the browser doesn’t execute the script and shows a blank document to the user as shown below.
Below are the headers sent: [plain] HTTP/1.1 200 OK Date: Mon, 13 Apr 2015 09:59:22 GMT Server: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0 X-Powered-By: PHP/5.6.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=729f2f716310ccfe353c81ced1602cf0; path=/ X-XSS-Protection: 1; mode=block Content-Length: 846 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 [/plain] Though it works fine with popular browsers like Internet Explorer, Chrome and Safari, Firefox doesn’t support this header and still we can see the alert box popping up as shown below.
So, this header should be used to have defense in depth in place, but it can’t protect the site completely and thus developers have to make sure they have additional mitigation controls implemented.