Skip to main content

Prevent XSS attacks

XSS (Cross Site Scripting) is a surprisingly easy weakness to exploit on unprepared websites. To describe it at its highest level an XSS attack involves injecting code into a webpage and having a user execute it on the grounds that they trust the website you have hijacked.

There are a great many vectors for an XSS attack to come through, but for the most part applying a few simple safety precautions will greatly improve your site security.

XSS attacks can be split into one of three categories:

  1. Stored XSS attacks - are those where the attacker stores malicious code in your database, forum, comment section or elsewhere on your site. The victim receives the code when they request that particular content from your website.

  2. Reflected XSS attacks - are those where the malicious code is reflected off the server and sent to the victim as part of search results, emails, error messages, etc. This can be set up by tricking the victim into clicking a specially crafted link (or filling in a malicious form) that generates the appropriate response from the insecure server.

  3. DOM XSS attacks - are those where the payload is delivered on the client side by manipulating the script once it has been sent by the server.
It is essential for web developers to sanitize their data so that it does not open doors to these simple attacks.
Cardinal rule: Don't insert data you can't trust
Don't put received data into scripts, tags, HTML comments, attribute names, or tag names. Especially don't run Javascript that you receive.

If your language has automatic functions to sanitize strings (e.g.: PHP has filter_var) then use it.  Be cautious of using functions that are designed to work with html entities, some XSS attacks can work around this.

This applies to HTML elements, Javascript, CSS, attributes, names, and everywhere else that you use received data.

Useful XSS prevention resources

Acunetix provides a free version of their vulnerability scanner that does a good job of detecting XSS attacks.

The Open Web Application Security Project (OWASP) has an extensive wiki on website security.

These guys provide us with users who click on links they shouldn't. Without them we wouldn't have a job.

Trevor Sewell is a UK developer who has kindly provided a PHP XSS class that sanitizes POST data.
Labels:

Comments

Post a Comment

Popular posts from this blog

Separating business logic from persistence layer in Laravel

There are several reasons to separate business logic from your persistence layer.  Perhaps the biggest advantage is that the parts of your application which are unique are not coupled to how data are persisted.  This makes the code easier to port and maintain. I'm going to use Doctrine to replace the Eloquent ORM in Laravel.  A thorough comparison of the patterns is available  here . By using Doctrine I am also hoping to mitigate the risk of a major version upgrade on the underlying framework.  It can be expected for the ORM to change between major versions of a framework and upgrading to a new release can be quite costly. Another advantage to this approach is to limit the access that objects have to the database.  Unless a developer is aware of the business rules in place on an Eloquent model there is a chance they will mistakenly ignore them by calling the ActiveRecord save method directly. I'm not implementing the repository pattern in all its ...
Post a Comment
Read more

Solving Doctrine - A new entity was found through the relationship

There are so many different problems that people have with the Doctrine error message: exception 'Doctrine\ORM\ORMInvalidArgumentException' with message 'A new entity was found through the relationship 'App\Lib\Domain\Datalayer\UnicodeLookups#lookupStatus' that was not configured to cascade persist operations for entity: Searching through the various online sources was a bit of a nightmare.  The best documentation I found was at  http://www.krueckeberg.org/  where there were a number of clearly explained examples of various associations. More useful information about association ownership was in the Doctrine manual , but I found a more succinct explanation in the answer to this question on StackOverflow . Now I understood better about associations and ownership and was able to identify exactly what sort I was using and the syntax that was required. I was implementing a uni-directional many to one relationship, which is supposedly one of the most simpl...
Post a Comment
Read more

"Word of the Day" PHP script (with word list)

I was looking around for a way to generate a word of the day on the web and didn't find anything. So I coded a quick and dirty script to do it. Just in case anybody does a Google search and manages to find my blog: here is my Word of the Day PHP script : Copy this code snippet into a wordoftheday.php file: $file = fopen("interesting_words.txt","r"); $raw_string = fread($file,filesize("interesting_words.txt")); fclose($file); $words_array = explode("|",$raw_string); echo $words_array[array_rand($words_array)]; Of course the real issue I had was finding a list of interesting words in the right format. Here is the list of interesting words that I used: Copy this into a file called interesting_words.txt : ubiquitous : being or seeming to be everywhere at the same time; omnipresent| ecdysiast : a striptease artist| eleemosynary : of, relating to, or dependent on charity| gregious : c...
Post a Comment
Read more