XSS or Cross Site Scripting

by on September 22nd, 2008

XSS or Cross Site Scripting
Remote Code Execution
SQL Injections

These are same things and methods almost. Lets discuss cross site scripting (XSS) and ways to prevent it.

Cross Site Scripting

Cross-site scripting (XSS) is a type of web security vulnerability typically found in web applications which allow code injection by hackers into the web pages by finding back doors and insecure and carelessly handled code. When they are done, they can execute code at your website and get your database and website private information.

Preventing XSS Attacks

Some people call it bad code which is said to be cause of vulnerability. There are ways to secure code to prevent such attacks.

  • Validate each input used in every form of your website
  • Filter special characters from inputs e.g. % , < , > etc
  • Encode special characters where needed e.g. & into
    &amp;

    etc.

SQL Injections

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of a web application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.

Types of SQL injections
  • Incorrectly filtered escape characters
  • Incorrect type handling
Incorrectly filtered escape characters

In this type of SQL injection user input data is not filtered for escape characters.

For Example:

"SELECT * FROM users WHERE name = 'userName';"

If userName entered by user is = ‘a’

"SELECT * FROM users WHERE name = 'a'"

Which will bypass user authentication method.

Incorrect type handling

This form of SQL injection occurs when a user supplied field is not strongly typed or is not checked for type constraints.

Writing Secure PHP Code
  • Use Magic Qoutes. By using magic quotes you provide extra security to form input by adding backslashes to user input.

    * A backslash becomes \
    * A quote ‘ becomes ‘
    * A double-quote ” becomes “

    To get original data input written by user you use stripslashes. A very good example is here and here.

  • Change extension of web pages from php to html in apache by mod rewrite
  • Use clean function as below
    <?php
    function clean($string) 
    { 
    $string = stripslashes($string);
    $string = htmlentities($string);
    $string = strip_tags($string);
    return $string;
    }
    ?>
  • You can serve php code in html file
    http://bugs.php.net/bug.php?id=27580
More Security Measures
  • Never use scripts from unreliable source.
  • Always use only updated open source softwares and whenever a security upgrade is available or updated version is available, update your software immediately.
  • Never and ever use or set Register Globals ON in php ini settings.
  • Validate all inputs in any form at local side and sever side.
  • Use web site vulnerability scanner softwares to ensure that website has no backdoors or security holes.
  • Use reCAPTCHA for website forms.
  • Always backup your web application at regular period.
  • Check file and folder permissions (CHMOD) at your web server via ftp. Files must not be executable or writeable.
  • Make folders forbidden which have no index file.
  • Use Mod Rewrite
  • Use redirection wisely
  • Create custom error pages

Finally remain updated about security issues, bugs or vulnerability information about PHP by following website.

http://phpsec.org/


Share