homepage Welcome to WebmasterWorld Guest from 54.161.191.254
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Protecting from XSS attacks
dvduval




msg:1247270
 4:43 pm on Dec 26, 2004 (gmt 0)

Someone told me recently that one of my scripts was open to XSS attacks. What are some general guidlines for checking/correcting scripts for XSS?

 

Dreamquick




msg:1247271
 6:03 pm on Dec 26, 2004 (gmt 0)

XSS (Cross Site Scripting) is a type of attack which uses a weakness in your own website's scripts to turn people browsing your site into victims.

For example...

There might be a certain version of a popular forum or PM software that passes on messages exactly as they were written. All an attacker needs to do to make use of that bug is craft a message with a payload (typically javascript) and then get people to view their content to trigger the payload. That could be something as innocuous as getting them to read a PM or just read a post they've written.

Typical payloads are for cookie discovery (since to all intents and purposes the javascript is part of your site it can also access any cookies your site has set, so could allow elevated levels of access to a site if they got an admin's cookies) but they could also be used in conjunction with a browser security hole to exploit the whole PC.

How to prevent it
The best way to prevent leaving your site open to XSS attacks is to keep up to date with the latest patches on the software you use. If it's bespoke then use very aggressive filtering options on all data from the user(wherever possible use whitelist filtering rather than blacklist filtering because it affords far tighter control).

If you want to test it yourself then work out where users provide input that will be written to the screen at some point - don't forget about data you write to screen that's stored in hidden form variables, the querystring and cookies as they can all be compromised with very little effort.

Once you've got that list of inputs, work through the relevant scripts and check what filters and verfication processes that data is subjected to before it's being used / written to screen.

- Tony

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved