Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Protecting from XSS attacks

4:43 pm on Dec 26, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 28, 2001
votes: 0

Someone told me recently that one of my scripts was open to XSS attacks. What are some general guidlines for checking/correcting scripts for XSS?
6:03 pm on Dec 26, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 25, 2002
votes: 0

XSS (Cross Site Scripting) is a type of attack which uses a weakness in your own website's scripts to turn people browsing your site into victims.

For example...

There might be a certain version of a popular forum or PM software that passes on messages exactly as they were written. All an attacker needs to do to make use of that bug is craft a message with a payload (typically javascript) and then get people to view their content to trigger the payload. That could be something as innocuous as getting them to read a PM or just read a post they've written.

Typical payloads are for cookie discovery (since to all intents and purposes the javascript is part of your site it can also access any cookies your site has set, so could allow elevated levels of access to a site if they got an admin's cookies) but they could also be used in conjunction with a browser security hole to exploit the whole PC.

How to prevent it
The best way to prevent leaving your site open to XSS attacks is to keep up to date with the latest patches on the software you use. If it's bespoke then use very aggressive filtering options on all data from the user(wherever possible use whitelist filtering rather than blacklist filtering because it affords far tighter control).

If you want to test it yourself then work out where users provide input that will be written to the screen at some point - don't forget about data you write to screen that's stored in hidden form variables, the querystring and cookies as they can all be compromised with very little effort.

Once you've got that list of inputs, work through the relevant scripts and check what filters and verfication processes that data is subjected to before it's being used / written to screen.

- Tony