Cross site scripting Attack – XSS

kurinchilamp — Fri, 19 Jun 2009 03:41:04 +0000

Cross-Site Scripting (XSS) is the method of code injection whereby a malicious user injects code (html, javascript) which would get executed from the site on the users browser. When Google finds this, it will show up a warning message in its search results if the users had searched for a specific term for which your site is indexed. This can harm your user base.

XSS attacks are classified as
- Persistent attacks
- Non-persistent attacks

Non-persistent attacks are the holes in the application, where by a malformed code gets injected via your site to your user’s browser. This mostly happens when search engines indexes a page with a link of your site with malformed code injected by a malicious user.

Persistent attacks occur when the user’s (malicious) input is entered into a system and get stored into the system without proper validation. When naive users visit your site, they get infected with the malicious users code. This happens in Forums, Comments section where by the entered data is not sanitized.

As the key to accepting any user input, VALIDATE ALL DATA before storing it in your server. That by far reduces a lot of problem and hence saves your time.

To circumvent XSS, different users/applications have come with different methods like

i) avoiding html or script input

ii) have custom built tags which behave like html when presenting the text (e.g. wiki)

iii) using regular expression to build filters

Functions used in MVC frameworks to prevent XSS attacks
CakePHP: Usage of Sanitize
CodeIgniter: xss_clean

HTMLPurifier is an application used by major softwares like CodeIgniter MVC, Symfony, WordPress, Drupal, Joomla

Read through OWASP’s site for a list of common vulnerabilities.

PHP XSS: htmlspecialchars vs. htmlentities

kurinchilamp — Sun, 17 May 2009 16:13:55 +0000

Cross site scripting XSS is a term used to refer attacks or loop holes present in the scripting used by websites favoring hackers to exploit this path towards identity theft or phishing.

In PHP, two functions are mainly used to circumvent XSS attacks.
i) htmlspecialchars
ii) htmlentities

i) htmlspecialchars($string, [$quote_option]) takes care of &, “, ‘, <, > characters by converting them into equivalent character codes. If quote option is set to ENT_QUOTES it converts ‘ – single quotes to ' and if it is set to ENT_NOQUOTES it does not convert ” – double quotes to "

ii) htmlentities() is used to escape all html characters from the text and not just the five characters mentioned above.

Note: If you do not want any html characters in the text, use strip_tags($text) instead.

Also check PEAR’s HTML_Safe library

In wikipedia, you can learn more about XSS and its classification with examples.

Kurinchi Blogger Scribbles ... » XSS

Cross site scripting Attack – XSS

PHP XSS: htmlspecialchars vs. htmlentities