OWASP A2 – Cross-Site Scripting (XSS) with PHP Part 2

Today we will finish up ASVS section 5. Next week we will begin ASVS 6.x (Output Encoding/Escaping Requirements). This should be a pretty short post.

ASVS 5.6 Requirement:

Verify that a single input validation control is used by the application for each type of data that is accepted.

ASVS 5.6 Solution:

Watch out for data validation code sprawl. Use the same data validation code for the same data type each time you perform the validation. Don’t rewrite or add the validation code to each page of PHP. Write it once as a function or class and then include that function/class in the pages requiring validation.

ASVS 5.7 Requirement:

Verify that all input validation failures are logged.

ASVS 5.7 Solution:

Record validation failures to a log file, database table, or both. This will help in performing forensics if the site is compromised as well as in responding to incidents/attacks as they occur. I will use the whitelist validation function from last week as an example, removing the comments from that demonstration:

  function dataValidator($type, $data) {
    $decodeData = html_entity_decode($data, ENT_QUOTES, 'UTF-8');

    $typeArray = array(
      "number" => '/^[0-9]+$/',
      "letter" => '/^[a-zA-Z]+$/',
      "alphan" => '/^[a-zA-Z0-9]+$/'

    if (preg_match($typeArray[$type], $decodeData)) {
      return true;
    } else {
      // Pseudo code for calling a logging function.
      // Passing the date/time, type to be tested, 
      // as well as the data that was passed (encoded).
      writeLog(date('Y-m-d H:m:s') . 
        " - $type Validation failed with the following data: " . 
        htmlentities($decodeData, ENT_QUOTES, UTF-8, false));
      return false;

ASVS 5.8 Requirement:

Verify that all input data is canonicalized for all downstream decoders or interpreters prior to validation.

ASVS 5.8 Solution:

Data that is encoded in a special character set can bypass validation filters or be used in directory traversal attacks in many cases. Canonicalization enforces a specific character set and encodes the data (or modifies the file path) in a way that reduces or eliminates the risk of XSS or directory traversal attacks. This is accomplished through setting a default character set, encoding data, and canonicalizing file paths. Configure the default character set for PHP by adding/modifying this in php.ini:

  default_charset = "ISO-8859-1"

User supplied data which contains paths can be canonicalized with the realpath() PHP function:


User supplied data can be encoded into HTML characters using htmlentities or htmlspecialchars. The HTML entities function encodes everything for which there is an HTML character entity equivalent, whereas htmlspecialchars only converts special characters. We will discuss these functions when we cover ASVS 6.x (starting next post).

Example code putting it all together:

  $safeData = htmlentities(realpath($data), ENT_QUOTES, ISO-8859-1, false);

ASVS 5.9 Requirement:

Verify that all input validation controls are not affected by any malicious code.

ASVS 5.9 Solution:

Scan your code for viruses, or any malicious backdoors. Perform manual and automated code reviews.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: