diff options
Diffstat (limited to 'xss-check.php.sample')
-rw-r--r-- | xss-check.php.sample | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/xss-check.php.sample b/xss-check.php.sample new file mode 100644 index 0000000..bfc7973 --- /dev/null +++ b/xss-check.php.sample @@ -0,0 +1,48 @@ +<?php + +/** + * We don't automatically set this up, because it depends on server + * configuration. + * + * This is a sample, it's what I use on mckenzierobotics.org + * So, it may help you to know that I have several systems interacting there. + * http://mckenzierobotics.org/ Base of entire site + * http://mckenzierobotics.org/mm/ WordPress + * http://mckenzierobotics.org/wp/ MessageManager + * + * The 'conf' table for MessageManager has 'baseurl' set to '/mm/'; it does NOT + * include the hostname. + * + * The idea of this approach is we inspect the HTTP_REFERER to decide if the + * user came from an acceptable URL. This is tricky because this isn't + * nescessarily just URLs inside of MessageManager's "baseurl", and URLs from + * inside of "baseurl" might not be trusted (like email body files). + */ +function xss_attack() { + $siteurl = 'http://mckenzierobotics.org/';// basic trusted base + $mmurl = $siteurl.'mm/';// where MessageManager is + + if (!isset($_SERVER['HTTP_REFERER'])) + return false; + + $from = $_SERVER['HTTP_REFERER']; + $method = $_SERVER['REQUEST_METHOD']; + + switch ($method) { + case 'PUT': break; + case 'POST': break; + case 'GET': return false; break; + case HEAD: return false; break; + default: break; + } + + if (substr($from,0,strlen($siteurl)) != $siteurl) + return true; + + $messages = '@^'.preg_quote($mmurl.'messages/','@').'.*/.@'; + if (preg_match($messages, $from)) + // Someone cleverly tried to XSS us from inside a message + return true; + + return false; +}
\ No newline at end of file |