I got into a really funny argument with a security guru about if PHP was a good language or not. It’s a really inane argument if you ask me, and honestly I was just trying to get a rise out of him (it worked) but after it was all said and done and I told him I was kidding, I really started to think about it. What’s the difference between low and high level languages?
Okay, but who does use it? For the most part people are using canned scripts, like my personal favorite to bash on, PHP-Nuke. Btw, try_og found yet another hole in PHP nuke today. But it goes beyond just that one application.
Luny found another XSS vulnerability in iFoto today. This one is worth mentioning because it doesn’t use HTML or URL escaping, but rather it uses base64 encoding. This is really interesting because one thing I didn’t enumerate on in the XSS Cheat Sheet calculator is that every single vector should be encoded with every encoding method to test properly. What a pain, huh?
Anyway, these canned scripts are dream for auditors. They often point to bigger issues (often reflection and stored XSS attacks are SQL injection flaws as well, and in a few cases I’ve seen problems that were caused because it was trying to execute a program that didn’t exist that I was injecting… oops!).
Actually one of the funniest things that has happened to me during my auditing adventures was when I inadvertantly brought down a system by injecting XSS inadvertantly through my user agent. It was calling some sort of resource and boom! I wouldn’t recommend changing your User Agent to anything other than raw text. You’d be surprised how many applications have custom logging logic and how many of them can’t handle XSS and SQL Injection attempts properly./RSnake