Fix XSS by applying context-aware encoding

passman-dev/php/passman/dashboard.php

@@ -26,12 +26,23 @@ if(isset($_POST['new_website'], $_POST['new_username'], $_POST['new_password'])
 	$new_username = trim($_POST["new_username"]);
 	$new_password = trim($_POST["new_password"]);
 
-	// Insert new web site
+	// Insert new web site using a prepared statement to prevent SQL injection.
 	$sql_query = "INSERT INTO websites (login_user_id, web_url, web_username, web_password) VALUES " .
-				"((SELECT id FROM login_users WHERE username='{$username}'),'{$new_website}','{$new_username}','{$new_password}');";
-	//echo $sql_query;
-	$result = $conn->query($sql_query);
+				"((SELECT id FROM login_users WHERE username = ?), ?, ?, ?)";
+
+	$stmt = $conn->prepare($sql_query);
+	if ($stmt === false) {
 		$conn->close();
+		die("Prepare failed.");
+	}
+
+	$stmt->bind_param("ssss", $username, $new_website, $new_username, $new_password);
+	//echo $sql_query;
+
+	$result = $stmt->execute();
+	$stmt->close();
+	$conn->close();
+
 
 	// After processing, redirect to the same page to clear the form
 	unset($_POST['new_website']);
@@ -45,11 +56,25 @@ if(isset($_POST['new_website'], $_POST['new_username'], $_POST['new_password'])
 if(isset($_POST['delete_website']) && trim($_POST["websiteid"] != '')) {
 	$webid = trim($_POST["websiteid"]);
 
+	// Cast to int to avoid unexpected input and use a prepared statement to prevent SQL injection.
+	$webid = (int)trim($_POST["websiteid"]);
+
 	// Delete selected web site
-	$sql_query = "DELETE FROM websites WHERE webid='{$webid}';";
-	//echo $sql_query;
-	$result = $conn->query($sql_query);
+	$sql_query = "DELETE FROM websites WHERE webid = ?";
+
+	$stmt = $conn->prepare($sql_query);
+	if ($stmt === false) {
 		$conn->close();
+		die("Prepare failed.");
+	}
+
+	$stmt->bind_param("i", $webid);
+	//echo $sql_query;
+
+	$result = $stmt->execute();
+	$stmt->close();
+	$conn->close();
+
 
 	// After processing, redirect to the same page to clear the form
 	unset($_POST['websiteid']);
@@ -57,10 +82,21 @@ if(isset($_POST['delete_website']) && trim($_POST["websiteid"] != '')) {
 	exit();
 }
 
-// Display list of user's web sites
-$sql_query = "SELECT * FROM websites INNER JOIN login_users ON websites.login_user_id=login_users.id WHERE login_users.username='{$username}';";
+// Display list of user's web sites using a prepared statement to prevent SQL injection.
+$sql_query = "SELECT * FROM websites INNER JOIN login_users ON websites.login_user_id=login_users.id WHERE login_users.username = ?";
 //echo $sql_query;
-$result = $conn->query($sql_query);
+
+$stmt = $conn->prepare($sql_query);
+if ($stmt === false) {
+    $conn->close();
+    die("Prepare failed.");
+}
+
+$stmt->bind_param("s", $username);
+$stmt->execute();
+$result = $stmt->get_result();
+$stmt->close();
+
 
 //echo htmlspecialchars($username);
 echo "<h3>Entries of " . $username . "</h3>";

passman-dev/php/passman/notes.php

@@ -50,14 +50,25 @@ if(isset($_POST['new_note']) && trim($_POST['new_note']) !='') {
 	//$sql_query = "INSERT INTO notes (login_user_id,note) VALUES " .
 	//			 "((SELECT id FROM login_users WHERE username='{$username}'),('{$new_note}'));";
 
+    // Insert new note using a prepared statement to prevent SQL injection.
     $sql_query = "INSERT INTO notes (login_user_id, note) ".
-				 "VALUES ((SELECT id FROM login_users WHERE username='{$username}'), '{$new_note}')";
+                "VALUES ((SELECT id FROM login_users WHERE username = ?), ?)";
 
+    $stmt = $conn->prepare($sql_query);
+    if ($stmt === false) {
+        // Fail closed (do not leak DB details).
+        $conn->close();
+        die("Prepare failed.");
+    }
+
+    $stmt->bind_param("ss", $username, $new_note);
     //echo $sql_query;
 
-	$result = $conn->query($sql_query);
+    $result = $stmt->execute();
+    $stmt->close();
     $conn->close();
 
+
 	// After processing, redirect to the same page to clear the form
 	unset($_POST['new_note']);
 	header("Location: " . $_SERVER['PHP_SELF']);
@@ -73,12 +84,17 @@ echo "<h3>List of notes/comments</h3>";
 
 if (!empty($result) && $result->num_rows >= 1) {
     while ($row = $result -> fetch_assoc()) {
+        // Escape output to prevent stored XSS (DB content must be treated as untrusted).
+        $safe_note = htmlspecialchars($row["note"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
+        $safe_user = htmlspecialchars($row["username"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
+
         echo "<div class='note'>";
-		echo	"<div class='note-content'>" . $row["note"] . "</div>";
-		echo	"<div class='note-signature'> by " . $row["username"] . "</div>";
+        echo    "<div class='note-content'>" . $safe_note . "</div>";
+        echo    "<div class='note-signature'> by " . $safe_user . "</div>";
         echo "</div>";
     }
 
+
 	// Free result set
 	$result -> free_result();
 } else {

passman-dev/php/passman/register.php

@@ -29,11 +29,19 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 		//}
 		require_once __DIR__ . "/config.php";
 
-		// Insert a new user
-		$sql_query = "INSERT INTO login_users (username,password) VALUES ('{$new_username}','{$new_password}');";
-		//echo $sql_query;
+		// Insert a new user using a prepared statement to prevent SQL injection.
+		$sql_query = "INSERT INTO login_users (username, password) VALUES (?, ?)";
+
+		$stmt = $conn->prepare($sql_query);
+		if ($stmt === false) {
+			$login_message = "Database error (prepare failed).";
+			$result = false;
+		} else {
+			$stmt->bind_param("ss", $new_username, $new_password);
+			$result = $stmt->execute();
+			$stmt->close();
+		}
 
-		$result = $conn->query($sql_query);
 
 		unset($_POST['new_username']);
 		unset($_POST['new_password']);

passman-dev/php/passman/xss/stolencookies.txt

@@ -0,0 +1,3 @@
+
+PHPSESSID=2c215dd41fe1090a5da5d0f3adc6ba64
+PHPSESSID=2c215dd41fe1090a5da5d0f3adc6ba64

passman-dev/php/xss/stolencookies.txt

@@ -1,2 +0,0 @@
-PHPSESSID=knjfug3u4gavdas9o4eupe38l1; seclab_user=u1
-seclab_user=u1; PHPSESSID=o1mg400lipd2mck69kpfnl6p5s