Bypass stripos XSS prevention

Hello,
I need to bypass a XSS check which is using stripos to prevent using script tags by detecting the work "script"
<?php
if (stripos($a, 'script') !== false) return false; return true;
?>

Open in new window

The web server also has a CSP policy (default-src none; script-src: nonce-key) and requires a nonce parameter within the script tag.
Thank you for your help.
Alexandros KakourisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gr8gonzoConsultantCommented:
XSS isn't executed within PHP. It's a technique / concept executed within the browser at runtime, and that's where the CSP policy and everything will apply. If you have that PHP code that just checks for "script" within $a, then you can bypass it by just returning true before it runs:

<?php
return true; // <======
if (stripos($a, 'script') !== false) return false; return true;
?>
0
Alexandros KakourisAuthor Commented:
I have no access to change the php code and I need to bypass it as a client.
0
gr8gonzoConsultantCommented:
You cannot override PHP code on the server as a client. That's why server-side code is used for security. If clients code override PHP code whenever they wanted, it would be mass chaos.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

NerdsOfTechTechnology ScientistCommented:
Bypass: XSS can be done without specifying 'script' or 'javascript' like below, as javascript is the implied scripting language on major browsers:

<b onmouseover=alert('XSS')>hover over me</b>

Open in new window

(albeit the HTML will be slightly invalid, but it works)

https://jsfiddle.net/t2rjx0j6/

Therefore if that is the sanitation method used on that site, it's not a very good one.

However, most sites (that are secure) will sanitize inputs. Such 'security' is a fundamental factor of server-side scripting: it's not designed for users to be able to change the code. Otherwise like
@gr8gonzo said, if users could change scripts on servers, it would be pandemonium.

Better XSS prevention: For the server-side, to protect the server from XSS attacks, one way is to replace any non-alphanumeric with null inside the input, like this (form of sanitization):
$a = preg_replace ('/[^a-z0-9]/i', '', $a);

Open in new window

0
Julian HansenCommented:
How do I bypass XSS security - if that were possible what would be the point of the security in the first place.

The only solution (as Gr8gonzo has pointed out) is to bypass the code in the script by modifying the script. If it were possible to do it any other way then you would have a security hole big enough to drive a bus through and the script would be pointless.

Let's approach this from a different perspective - what is it you are wanting to do - why do you want to bypass the script?

BTW the check is not great = checking for 'script' will yield a false positive on every word that contains that sequence of letters.

conscript
scripted
prescription
1
NerdsOfTechTechnology ScientistCommented:
From a security standpoint, XSS should not be allowed. Therefore, if you are able to bypass the script, and execute any form of XSS, better security (such as stricter filters) should be implemented.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.