Cross-site scripting ( xss ) attack by example and prevention in PHP

What are cross-site scripting (XSS ) Attacks?

Cross-site scripting attacks are attacks that target the end user instead of your actual site. Vulnerable web applications that don’t check or validate properly incoming data let arbitrary code to run on a client computer (such as Javascript). The end result can be anything from stealing cookie data or redirecting to a different site, to embedding a browser exploit on a page. Anything that can be done with Javascript (a lot!).

Example of cross-site scripting (xss) attack

Let us suppose that there is a comment form in the Michael’s website of a section like photo gallary or article. He created a feature that let his viewers to comment on his photos or article by submitting a form. And he doesnot have much validation in this comment form.

Now Sam (inturder) visits the Michael‘s website and he’s jealous of Michael‘s website traffic and wants to steal some of his website’s traffic. Then he can insert the follow code to his comment form

Hi Michael, very gud job, keep it up! <img src=”http://google.com/images/logo.gif” onload=”window.location=’http://sam.com/'” />

And every time a user visits Michael’s article or photos, they are rudely redirected to sam’s site.

Prevention from xss attack In php

To prevent from XSS attacks, you just have to check and validate properly all user inputted data that you plan on using and dont allow html or javascript code to be inserted from that form.

Or you can you Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like <> that mark the beginning/end of a tag are turned into html entities and you can use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload.

20 thoughts on “Cross-site scripting ( xss ) attack by example and prevention in PHP

  1. Ryan

    Thanks for this excellent article. I had heard about these attacks, but it was quite vague to me, and I had no idea how easy it was. Just underlines the importance of data validation on web forms. Thanks for the eye opener!

    BTW. Your site has some pretty informative articles. Keep up the good work. I’ll drop by from time to time.

  2. will

    XSS can also occur by hiding html within html.
    php’s strip_tags won’t catch it.

    Aside from that, javascript validations are handy, but can only take your site so far. Javascript has very little unicode support, so it may not be the best tool for multi-lingual sites.

    People that use browsers like Lynx or Netscape 4 (i know …. REALLY old), may not have have javascript running or a very old version of javascript running which may cause validations to not run.

    XSS Prevention should occur at the server level no matter what, when processing or storing input. In the event a browser dependency fails (in this case javascript), it becomes possible for the attacker to slip data in as they see fit.

    OSCommerce.org has an article in its documentation regarding XSS Prevention which highlights the key points of prevention fairly well.

  3. White list input filtering is recommended in order to avoid cross site scripting.

    Every php developer should never trust the user provided data even if it is from cookie, drop down list or hidden form fields.

    We should always check the script tag in user input data too which is more dangerous in this context.

  4. I absolutely agree wiht you safiq…

  5. sam

    Hi Michael, very gud job, keep it up!

  6. Do not completely trust Web sites that use HTTPS (Secure Sockets Layer) when it comes to XSS; HTTPS ensures secure connections, but processing of the data entered by the user is internal to the application. If the application has XSS holes, the attacker may send a malicious script that can still be executed by the application and lead to XSS intrusions.

  7. Sam

    Nice job on article

  8. Sam

    Approve me XD

  9. Hi Michael, very gud job, keep it up!

  10. Hi. great post, but what about case when you can’t save the injected code on the website?

  11. Excellent info provided in the post and I must say that author provide info in a proper way for the new reader

  12. thanks for such a good information about Xss attack. I just suggest every one go and find out Non-Persistent and Persistent reflection points on your website and just make them safe with help of options suggested in this article. And you are safe.

    Thanks
    Dhanesh Mane – Lamp professional

  13. Great post. Thanks for sharing.I am constantly searching online for articles that can aid me. Thanks!

  14. Samarth Sharma

    NICE JOB AND A VERY GOOD ARTICLE.

    I NEED A FAVOR I AM STUDENT(BEGINNER) OF INFORMATION SECURITY CAN YOU TELL

    ME FROM WHERE CAN I LEARN THESE TYPES OF ATTACKS OR FROM ANY TOOL I CAN

    GET THE VIRTUAL ENVIRONMENT TO USE THESE ATTACKS.

    REGARDS,
    SAMARTH SHARMA

  15. Great article. Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>