Dangers of CSRF and XSS

While the image tag is the most frequent method of attack, CSRF can be mounted in a number of other ways that from some perspectives are far nastier and much harder to spot. One such attack can be mounted through the background CSS attribute, which allows for the specification of an image that is to be used as a background for a page element.

How can the CSS elements be injected into the code? Well, it is simpler then you might think and is quite common. The problem originates from the fact that many PHP applications seek to provide the user with the ability to control the manner in which the information is displayed, by allowing the use of simple HTML formatting tags like bold and italics. In many cases, the tag allowance is done via the use of the optional parameter of the strip_tags() function. This parameter allows the exclusion of certain supposedly harmless tags from removal. If a developer wants to enable users of his application to use the basic formatting tags, he simply tells the function not to remove them. For example, if I wanted to allow the usage of bold and italics, I would simply call the function like this:

<a href="http://www.php.net/strip_tags" mce_href="http://www.php.net/strip_tags">strip_tags</a>($test, "<b><i>");

Seems pretty simple and safe, right?

Alas, this is not the case. When the strip_tags() function makes an allowance for a tag, it allows the tag in its entirety, including any attributes it may have. This means that while the attacker cannot inject other tags, he can pack attributes into the allowed tags. Technically, according to the W3C specification, tags such as b and i do not support styling elements governing the background of an element. Unfortunately, this hardly matters to most browsers because they support them anyway. So, to repeat the tricks we performed on the image tag, we simply need to use a style attribute as in the following example:

$text = '<b style="background:
url(<span>\'http://hacker.com/me/.jpg\')">TEST</b>';

While a broken image will show up in the browser as an icon or similar indication, a missing or broken background is completely transparent and thus much more difficult to detect.

Hopefully, this example illustrates why the tag allowance feature of strip_tags()should not be used. Rather, consider implementing a small subset of BBcode, which does not support attributes. The tags are converted by the BBcode parser to the equivalent HTML, thus giving the user the capability to adjust text without opening attribute vulnerabilities. You don't have to write a parser on your own, as there are some tools that are ready to use. For example, the PEAR class HTML_BBCodeParser would serve well for the purpose. It can be downloaded from http://pear.php.net/package/HTML_BBCodeParser. An alternative to BBCode is to use the SafeHTML PHP package, available from http://pixel-apes.com/safehtml. It eliminates all unsafe HTML elements and attributes from the given text.

Aside from background tricks and the usage of the image tags, almost any tag that triggers the automatic download of a linked resource can be a point of CSRF attack. However, tags like iframe and script are generally not accessible to the user. However, if they can be modified through an unverified variable, they pose a threat that is equal to the previously explained mechanisms.