Over the last week I have been thinking about applications that could morph themselves based on some criteria.  Mostly, I have been thinking about this in respect to web applications which could change their layout automatically based on the user’s interaction with certain parts of the application or lack thereof.

Additionally, this week I have been doing a lot of research on web application security. Tonight the two topics merged.

What if an application could change itself in order to protect itself?  For instance, what if an application which accepts user input, submits the input via GET, and then displays the information could protect itself from being used in XSS phishing attacks even if it is vulnerable to XSS attacks?

Enter dynamic variables.  The code below is a quick POC I put together to decide if this would work. The outcome: Yes, it could work. The code below is vulnerable to XSS attacks, but the attacks would only be valid for 2 seconds because the variable changes and essentially expires.

I fully admit that if someone was going to go through this much trouble, they should just fix the bad code. I wanted to try this just as a POC and for purely research reasons.  There may be some value of implementing a more advanced version of this in a WAF, but again may not be worth it since there are other ways to address it.

Anyway, on to the code:

<?php

$var = date(dWYHis);

print “<html><form action=\”test.php\” method=\”GET\”> <input type=\”text\” name=\”$var\”> <input type=\”submit\” value=\”submit\”></form><br></html>”;

$datechk = date(dWYHis);

foreach ($_GET as $key => $value){
if ($key <= $datechk AND $datechk > $date-2){
echo “$value”;
}
}

?>

The first part reads in the the current date and time and sets this string as the name of a field in a html form.

Next once the form is submitted, the current date and time string is read into $datechk. The variables submitted are extracted and the variable names are compared to the current $datechk value to ensure the variable is not more than 2 seconds old. If the variable is equal to the current datetime string or is no more than 2 seconds old, then the variable is acceptable and the code moves on.

Obviously, the date-time string should not be relied upon alone.  It could be used if it is salted in some manner but the key is to have a repeatable process on both ends to ensure the data variable can be recreated and validated.

Sorry about the code formatting, the blog doesn’t do a great job of formatting code.