Kauft das PHP-Sicherheitsbuch!Links Tag cloud@christopherkunz
|
Thursday, November 9. 2006PHP Conference 2006 - Session Slides and Quiz answersI already blogged this at our PHP Security Blog, but it is not (yet? hey Toby
Just as a quick hint for the answers, I decided to blog about which answer is right - and why. 1. The third answer is correct, apart from the fact that the regexp is lacking a delimiter. Were it a correct regexp (which we assume is only due to a typo), it would strip all NON-WORD characters from the string. Answers 1 and 2 do not protect against closing of HTML tags (answer 1, " and > are only prefixed with \, which doesn’t matter for HTML renderers) and closing of HTML attributes (strip_tags does strip anything between <>, but NOT attributes like “ foo=”bar" which do not contain <>). 2. Answer 2 is correct. The /e modifier for preg_replace is fed a string from $_GET. The htmlentities call which supposedly escapes double quotes is executed after the string is imported from $_GET. A string like \");phpinfo(); in $_GET[’name’] would therefor allow remote code execution. Answers 1 and 3 are not correct because 1 does not give a 1-request remote code execution, but only a local one, although exploiting that would be trivial. Answer c simply is not vulnerable because in this answer, htmlentities() is called outside the eval (concatenated with ..). 3. Answer 5 is correct, since any tag can contain e.g. a “style” attribute. 4. Answer 4 is correct, since the JavaScript “virtual machine” inside the browser has no control over the client-side file system. Keylogging via JS, a simple TCP port scanner and viable Session Riding attacks have all been successfully done with XSS already. Trackbacks
Trackback specific URI for this entry
No Trackbacks
|
) aggregated on planet-php, so here goes again.
), you can get them here: