Protect your pages against XSS attacks
6 posts
Page 1 of 1
XSS (Cross Site Scripting Attack) is a security vulnerability that usually exploits the content of dynamically generated webpages that is not escaped properly.
How does it work?
Imagine a webpage where a user is allowed to write a comment. When he writes the comment also writes this line inside it.
Why is that dangerous?
Is dangerous because as you can see he wrote <script>alert('attacked')</script>. That is a javascript function which is obviously harmless, but they can replace it with malicious code to retrieve the website's cookies or session data or redirect users to other pages, etc... But the webbrowser doesn't know that code is dangerous so it will execute it thinking its a working part of the page.
How do i protect against it?
NEVER trust what the user writes. When you expect a value to be numeric, check that the user input is numeric, When you expect a value to be an email address, check that the user input is an email address, and so forth.
Also every time you output content from the database that was created by someone else, like comments, posts, emails, phone numbers, etc... Escape it using PHP's anti XSS function :lol:
A working example of this you're seeing now while reading this topic. If PhpBB (Codenstuff's platform) didn't escape this topic properly, you would have now seen a black'ish screen with a popup message. :lol: :lol:
This is just a basic example of how XSS works and how to protect against it, but you get the idea.
That's it! I hope you like this tutorial and find it useful.
How does it work?
Imagine a webpage where a user is allowed to write a comment. When he writes the comment also writes this line inside it.
Code: Select all
When the user submits the comment, it will be stored in the database and then the webbrowser will print it on the screen.Some comment <script>alert('attacked')</script> another piece of comment.
Why is that dangerous?
Is dangerous because as you can see he wrote <script>alert('attacked')</script>. That is a javascript function which is obviously harmless, but they can replace it with malicious code to retrieve the website's cookies or session data or redirect users to other pages, etc... But the webbrowser doesn't know that code is dangerous so it will execute it thinking its a working part of the page.
How do i protect against it?
NEVER trust what the user writes. When you expect a value to be numeric, check that the user input is numeric, When you expect a value to be an email address, check that the user input is an email address, and so forth.
Also every time you output content from the database that was created by someone else, like comments, posts, emails, phone numbers, etc... Escape it using PHP's anti XSS function :lol:
Code: Select all
What this does is convert some characters into their HTML equivalent for example <script>alert('attacked')</script> will become <script>alert('attacked')</script> Now the webbrowser will treat that as just simple text and not code so it won't execute it.echo htmlspecialchars(comment,post,email here, ENT_QUOTES, 'UTF-8');
A working example of this you're seeing now while reading this topic. If PhpBB (Codenstuff's platform) didn't escape this topic properly, you would have now seen a black'ish screen with a popup message. :lol: :lol:
This is just a basic example of how XSS works and how to protect against it, but you get the idea.
That's it! I hope you like this tutorial and find it useful.
You can find me on Facebook or on Skype mihai_92b
For your information, this is a very simple and yet an old method used to inform the webmaster about the vulnerability.
Mostly we use <style>, CharCode, VBSCRIPT, ASCII, HTML5 vectors, <img src..>, <body onload..>, etc
Anyway I appreciate your tutorial BTW if the webpage is in HTML you can use some JavaScript to protect it.
Mostly we use <style>, CharCode, VBSCRIPT, ASCII, HTML5 vectors, <img src..>, <body onload..>, etc
Anyway I appreciate your tutorial BTW if the webpage is in HTML you can use some JavaScript to protect it.
Find my programs on Softpedia
As i said this is just a basic example, Also it doesn't matter what you use, if you use htmlspecialchars to properly escape the content i believe most of those methods will not work.
Ohh and about the JavaScript being used to protect webpages, what happens if its disabled?.
Ohh and about the JavaScript being used to protect webpages, what happens if its disabled?.
You can find me on Facebook or on Skype mihai_92b
XTechVB wrote:As i said this is just a basic example, Also it doesn't matter what you use, if you use htmlspecialchars to properly escape the content i believe most of those methods will not work.If the JavaScript is disabled, they won't be able to run commands either.
Ohh and about the JavaScript being used to protect webpages, what happens if its disabled?.
Find my programs on Softpedia
True! well to be honest i don't use javascript to validate forms or anything, everything i do is on the server side. But you know how it is, there will never be enough security.
You can find me on Facebook or on Skype mihai_92b
hmmm, I've founded XSS in many sites (including some big, coz i work as a Bug bounty hunter xD ).
I've seen many examples. According to me the best way to prevent to XSS is HTML Chars. Because I've observed that those sites which use HTML chars are pretty secure...
By the way nothing is fully secure xD :mrgreen:
I've seen many examples. According to me the best way to prevent to XSS is HTML Chars. Because I've observed that those sites which use HTML chars are pretty secure...
By the way nothing is fully secure xD :mrgreen:
6 posts
Page 1 of 1
Copyright Information
Copyright © Codenstuff.com 2020 - 2023