Protect your pages against XSS attacks
Posted: Sun Feb 23, 2014 3:11 pm
XSS (Cross Site Scripting Attack) is a security vulnerability that usually exploits the content of dynamically generated webpages that is not escaped properly.
How does it work?
Imagine a webpage where a user is allowed to write a comment. When he writes the comment also writes this line inside it.
Why is that dangerous?
Is dangerous because as you can see he wrote <script>alert('attacked')</script>. That is a javascript function which is obviously harmless, but they can replace it with malicious code to retrieve the website's cookies or session data or redirect users to other pages, etc... But the webbrowser doesn't know that code is dangerous so it will execute it thinking its a working part of the page.
How do i protect against it?
NEVER trust what the user writes. When you expect a value to be numeric, check that the user input is numeric, When you expect a value to be an email address, check that the user input is an email address, and so forth.
Also every time you output content from the database that was created by someone else, like comments, posts, emails, phone numbers, etc... Escape it using PHP's anti XSS function :lol:
A working example of this you're seeing now while reading this topic. If PhpBB (Codenstuff's platform) didn't escape this topic properly, you would have now seen a black'ish screen with a popup message. :lol: :lol:
This is just a basic example of how XSS works and how to protect against it, but you get the idea.
That's it! I hope you like this tutorial and find it useful.
How does it work?
Imagine a webpage where a user is allowed to write a comment. When he writes the comment also writes this line inside it.
Code: Select all
When the user submits the comment, it will be stored in the database and then the webbrowser will print it on the screen.Some comment <script>alert('attacked')</script> another piece of comment.
Why is that dangerous?
Is dangerous because as you can see he wrote <script>alert('attacked')</script>. That is a javascript function which is obviously harmless, but they can replace it with malicious code to retrieve the website's cookies or session data or redirect users to other pages, etc... But the webbrowser doesn't know that code is dangerous so it will execute it thinking its a working part of the page.
How do i protect against it?
NEVER trust what the user writes. When you expect a value to be numeric, check that the user input is numeric, When you expect a value to be an email address, check that the user input is an email address, and so forth.
Also every time you output content from the database that was created by someone else, like comments, posts, emails, phone numbers, etc... Escape it using PHP's anti XSS function :lol:
Code: Select all
What this does is convert some characters into their HTML equivalent for example <script>alert('attacked')</script> will become <script>alert('attacked')</script> Now the webbrowser will treat that as just simple text and not code so it won't execute it.echo htmlspecialchars(comment,post,email here, ENT_QUOTES, 'UTF-8');
A working example of this you're seeing now while reading this topic. If PhpBB (Codenstuff's platform) didn't escape this topic properly, you would have now seen a black'ish screen with a popup message. :lol: :lol:
This is just a basic example of how XSS works and how to protect against it, but you get the idea.
That's it! I hope you like this tutorial and find it useful.