Cross-site scripting ( xss ) attack by example and prevention in PHP

Posted on December 7, 2007 
Filed Under php, php attack

What are cross-site scripting (XSS ) Attacks?

Cross-site scripting attacks are attacks that target the end user instead of your actual site. Vulnerable web applications that don’t check or validate properly incoming data let arbitrary code to run on a client computer (such as Javascript). The end result can be anything from stealing cookie data or redirecting to a different site, to embedding a browser exploit on a page. Anything that can be done with Javascript (a lot!).

Example of cross-site scripting (xss) attack

Let us suppose that there is a comment form in the Michael’s website of a section like photo gallary or article. He created a feature that let his viewers to comment on his photos or article by submitting a form. And he doesnot have much validation in this comment form.

Now Sam (inturder) visits the Michael’s website and he’s jealous of Michael’s website traffic and wants to steal some of his website’s traffic. Then he can insert the follow code to his comment form

Hi Michael, very gud job, keep it up! <img src=”http://google.com/images/logo.gif” onload=”window.location=’http://sam.com/’” />

And every time a user visits Michael’s article or photos, they are rudely redirected to sam’s site.

Prevention from xss attack In php

To prevent from XSS attacks, you just have to check and validate properly all user inputted data that you plan on using and dont allow html or javascript code to be inserted from that form.

Or you can you Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like <> that mark the beginning/end of a tag are turned into html entities and you can use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload.

Popularity: 13% [?]

Enter your email address and get free tutorials, tips and tricks of PHP, Ajax, JavaScript and CSS directly delivered to you email inbox:


Follow me on twitter at http://twitter.com/roshanbh.

Related Posts

» 7 Useful functions to tighten the security in PHP
» SQL Injection Attack - Examples and Preventions in PHP
» Prevent form post request from another domain in PHP
» Change dropdown list (options) values from database with ajax and php

Comments

7 Responses to “Cross-site scripting ( xss ) attack by example and prevention in PHP”

  1. Ryan on January 8th, 2008 9:53 pm

    Thanks for this excellent article. I had heard about these attacks, but it was quite vague to me, and I had no idea how easy it was. Just underlines the importance of data validation on web forms. Thanks for the eye opener!

    BTW. Your site has some pretty informative articles. Keep up the good work. I’ll drop by from time to time.

  2. will on January 15th, 2008 2:43 pm

    XSS can also occur by hiding html within html.
    php’s strip_tags won’t catch it.

    Aside from that, javascript validations are handy, but can only take your site so far. Javascript has very little unicode support, so it may not be the best tool for multi-lingual sites.

    People that use browsers like Lynx or Netscape 4 (i know …. REALLY old), may not have have javascript running or a very old version of javascript running which may cause validations to not run.

    XSS Prevention should occur at the server level no matter what, when processing or storing input. In the event a browser dependency fails (in this case javascript), it becomes possible for the attacker to slip data in as they see fit.

    OSCommerce.org has an article in its documentation regarding XSS Prevention which highlights the key points of prevention fairly well.

  3. Zend Certified Engineer on April 24th, 2008 12:33 pm

    White list input filtering is recommended in order to avoid cross site scripting.

    Every php developer should never trust the user provided data even if it is from cookie, drop down list or hidden form fields.

    We should always check the script tag in user input data too which is more dangerous in this context.

  4. Roshan on April 24th, 2008 3:21 pm

    I absolutely agree wiht you safiq…

  5. Secure security » Blog Archive » Quick PHP Form Validator on May 4th, 2008 11:48 pm

    [...] http://roshanbh.com.np/2007/12/cross-site-scripting-xss-attack-by-example-and-prevention-in-php.html [...]

  6. sam on May 16th, 2008 11:32 pm

    Hi Michael, very gud job, keep it up!

  7. Useful functions to tighten the PHP security on May 24th, 2008 6:39 pm

    [...] which is very handy for preventing your website from various attacks like SQL Injection Attack , XSS attack etc.Let’s check few useful functions available in PHP to tighten the security in your [...]

Leave a Reply