xss security

knight13 · 06-29-2009, 03:29 AM

I have been reading about cross site scripting, and basically everything i have read say's that xss is basically people putting javascript code in form inputs, and to protect against it a person should use htmlentitties to filter things going into a database.

What i want to know is if this is the only way xss is used and can i prevent it from happening just by using htmlentitties to filter all the data that gets put into my databases?

Village Idiot · 06-29-2009, 05:06 AM

XSS - like most javascript tricks - are merely fancy layers behind the conventional means. The only way to get to your server is VIA HTTP (or other basic methods), the data can be forged just as easily without XSS tricks. Just secure your database inputs and validate your info. It (like most javascript tricks) are hype in front of conventional method, but many don't understand how they actually work so they feel it is a new thing. I will admit the interfaces are new, but the technology is not.

If you use PHP, use mysql_real_escape_string and typecast your ints. If you use a language that supports SQL paramaters (does MySQL do those) use them, they ar inheritally immune.

Salathe · 06-29-2009, 09:17 AM

I'm not really sure where VI is coming from with regards to his labeling cross-site scripting as "hype" or to what he refers to as "conventional methods" (unless you just mean DHTML). To slide in with talking about SQL injection further blurs things.

Back to XSS, htmlspecialchars isn't necessarily the saviour that you may think it is. One can still inject scripting without using any (of the 5) characters affected by htmlspecialchars, and an injected script can (depending on the situation) sometimes still work even if characters have been pushed through htmlspecialchars.

sketchMedia · 06-29-2009, 09:48 AM

This is a useful resource:
http://ha.ckers.org/xss.html

Quote:

htmlspecialchars isn't necessarily the saviour that you may think it is

Agreed, you would be surprised how easy (relatively) it is to bypass it (especially given that many people use broken browsers).

Essentially XSS is when the attacker is able to inject a script into a page, and have it run from that domain. This has many possibilities but the main form of attack is cookie theft (i think ?), which can be very damaging.

One way to approach this is to create a white list of tags, and strip out the ones not on the white list, however this is still not fool-proof.

There are a number of lib's for PHP that claim to help escape your output, one being http://htmlpurifier.org/, you might be able to use PHP's Tidy extension also.

CoryMathews · 06-29-2009, 03:26 PM

Quote:

Originally Posted by Village Idiot

XSS - like most JavaScript tricks

XSS is not only a JavaScript hack, it is for any server-side language as well.

It is simply when someone inputs information into a form of some kind and the information is then shown again to the user without removing anything.

Basically if you have say a search form. And in that form I "search" for

Code:

Something <a href="example.com/yourscrewed.php">View all results</a>

Now I pass the url of these results to a user and they click on the link. Bingo XSS attack. If you get that on a trusted site, people are likely to click it. Of course there are also all sorts of other ways, such as forms ect..

To prevent it just don't display what they typed in. Simple as that.

knight13 · 06-29-2009, 09:15 PM

What do i do if i want to allow people to be able to put links and html and image codes into certain parts of the website, how would i protect the site from xss but still let them add their codes.

CoryMathews · 06-30-2009, 03:22 PM

You can strip out all tags, with the exception of the ones that you want. http://us3.php.net/manual/en/function.strip-tags.php

Also check out http://www.acunetix.com/websitesecur...security-1.htm they have some great info on security for php. Also they have a scanner (link at bottom of page) which will scan your site for xss vulnerabilities. (xss is the free part)

knight13 · 06-30-2009, 06:51 PM

Thanks CM i will check that site out, and thanks for the info.