XSS - Execute Javascript with PHP

1
votes

I'm testing XSS vulnerability attacks in Android. For this I've developed a web view, where I load a html file which contains a simple form for entering name and email. The contents of html file are:

<html>
<body>

<form action="search.php" method="get">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>

</body>
</html>

I send the data via get to a php file, which echoes whatever is written in the name field. The contents of php file are :

<html>
<head>
<title> You searched for: </title>
</head>
<body>
<?php
    echo $_GET['name'];
?>
</body>
</html>

Now, my intention is to write Javascript inside the name field, so that when I echo it, script is executed. Normal strings passed in name field are echoed successfully, so I know that the php code is actually working.

This works on : Mozilla Firefox.

Doesn't work on : Chrome, Android Emulator, Android real device.

EDIT : I missed the input. I am adding a Javascript in name field. So the input can be a simple script such as:

<script language="Javascript">alert("Hello");</script>

Since I'm not sanitizing the input, I expect the script to execute. You can refer this link for more information.

But the output is a blank page with no output, which means script isn't executed.

Any ideas?

Note: I'm concerned with this not working with emulator/Android device only, so please don't answer for Chrome.

1
javascriptphpandroidandroid-webviewxss
Not sure what your question is. What are you passing in? What do you expect to happen, and what is actually happening?Shaun Scovil
well your question is not clear.Alpesh Panchal
My answer was for Chrome, but in general, you can verify what is happening with the technique I described. Many modern browsers have reflected XSS prevention techniques, so you can test if you are being hit with the XSS prevention by seeing if regular HTML renders, while javascript gets rejected.Gray

1 Answers

1
votes

Try it with something other than script tags, like some html such as <b>hello</b> and see if it renders as bold. Chrome has an XSS auditor that blocks reflected XSS attacks. Check the console to see if that is the case.

Chrome will have a note in the console that says:

The XSS Auditor refused to execute a script in '<your page>' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.

Here's a related article on security.se on it: https://security.stackexchange.com/questions/53474/is-chrome-completely-secure-against-reflected-xss

I just saw your edit. My answer is for chrome, but I suspect that your android device is employing a similar technique (I don't have one to test with). If you would like to bypass the auditor, you can do something like:

<html>
   <head>
      <title> You searched for: </title>
   </head>
   <body>
      <script>
         <?php
            echo $_GET['name'];
         ?>
      <script>
   </body>
</html>

Then you can make a request like ?name=alert(1), and the auditor probably won't block it.