Protect your pages against XSS attacks

6 posts Page 1 of 1
Contributors
User avatar
XTechVB
VIP - Site Partner
VIP - Site Partner
Posts: 727
Joined: Thu May 20, 2010 10:32 am

XSS (Cross Site Scripting Attack) is a security vulnerability that usually exploits the content of dynamically generated webpages that is not escaped properly.

How does it work?
Imagine a webpage where a user is allowed to write a comment. When he writes the comment also writes this line inside it.
Code: Select all
Some comment <script>alert('attacked')</script> another piece of comment.
When the user submits the comment, it will be stored in the database and then the webbrowser will print it on the screen.

Why is that dangerous?
Is dangerous because as you can see he wrote <script>alert('attacked')</script>. That is a javascript function which is obviously harmless, but they can replace it with malicious code to retrieve the website's cookies or session data or redirect users to other pages, etc... But the webbrowser doesn't know that code is dangerous so it will execute it thinking its a working part of the page.

How do i protect against it?
NEVER trust what the user writes. When you expect a value to be numeric, check that the user input is numeric, When you expect a value to be an email address, check that the user input is an email address, and so forth.

Also every time you output content from the database that was created by someone else, like comments, posts, emails, phone numbers, etc... Escape it using PHP's anti XSS function :lol:
Code: Select all
echo htmlspecialchars(comment,post,email here, ENT_QUOTES, 'UTF-8');
What this does is convert some characters into their HTML equivalent for example <script>alert('attacked')</script> will become <script>alert('attacked')</script> Now the webbrowser will treat that as just simple text and not code so it won't execute it.

A working example of this you're seeing now while reading this topic. If PhpBB (Codenstuff's platform) didn't escape this topic properly, you would have now seen a black'ish screen with a popup message. :lol: :lol:

This is just a basic example of how XSS works and how to protect against it, but you get the idea.
That's it! I hope you like this tutorial and find it useful.
You can find me on Facebook or on Skype mihai_92b
User avatar
Shim
VIP - Donator
VIP - Donator
Posts: 882
Joined: Wed Dec 14, 2011 5:02 am

For your information, this is a very simple and yet an old method used to inform the webmaster about the vulnerability.

Mostly we use <style>, CharCode, VBSCRIPT, ASCII, HTML5 vectors, <img src..>, <body onload..>, etc

Anyway I appreciate your tutorial BTW if the webpage is in HTML you can use some JavaScript to protect it.
Find my programs on Softpedia
User avatar
XTechVB
VIP - Site Partner
VIP - Site Partner
Posts: 727
Joined: Thu May 20, 2010 10:32 am

As i said this is just a basic example, Also it doesn't matter what you use, if you use htmlspecialchars to properly escape the content i believe most of those methods will not work.

Ohh and about the JavaScript being used to protect webpages, what happens if its disabled?.
You can find me on Facebook or on Skype mihai_92b
User avatar
Shim
VIP - Donator
VIP - Donator
Posts: 882
Joined: Wed Dec 14, 2011 5:02 am

XTechVB wrote:
As i said this is just a basic example, Also it doesn't matter what you use, if you use htmlspecialchars to properly escape the content i believe most of those methods will not work.

Ohh and about the JavaScript being used to protect webpages, what happens if its disabled?.
If the JavaScript is disabled, they won't be able to run commands either.
Find my programs on Softpedia
User avatar
XTechVB
VIP - Site Partner
VIP - Site Partner
Posts: 727
Joined: Thu May 20, 2010 10:32 am

True! well to be honest i don't use javascript to validate forms or anything, everything i do is on the server side. But you know how it is, there will never be enough security.
You can find me on Facebook or on Skype mihai_92b
User avatar
Master M1nd
Top Poster
Top Poster
Posts: 82
Joined: Thu Aug 15, 2013 7:51 pm

hmmm, I've founded XSS in many sites (including some big, coz i work as a Bug bounty hunter xD ).
I've seen many examples. According to me the best way to prevent to XSS is HTML Chars. Because I've observed that those sites which use HTML chars are pretty secure...


By the way nothing is fully secure xD :mrgreen:
6 posts Page 1 of 1
Return to “Tutorials”