Now a days Web applications are becoming more and more dynamic. Dynamic websites means contents shown on web page are pulled dynamically depending on some settings. These setting may include sending some important variables in query string, or sending the data entered by users with post form type. So in simple words we can say that your dynamic web application needs some contents / data inputs from user, and this is the point where Cross Site Scripting
(XSS) comes in picture.
As your dynamic web application is accepting some data from users or from query string. Some users get the front door open to enter in your application and put there codes in your application. These Codes may include HTML code and/or JavaScript , any client-side scripts. Cross-site scripting technique is carried out on websites were roughly 80% of all documented security vulnerabilities.
(XSS) comes in picture.
As your dynamic web application is accepting some data from users or from query string. Some users get the front door open to enter in your application and put there codes in your application. These Codes may include HTML code and/or JavaScript , any client-side scripts. Cross-site scripting technique is carried out on websites were roughly 80% of all documented security vulnerabilities.
What is XSS?
Usually attacker encodes some part of the links in HEX, and puts this in your web page through query string. So that script can be anything and we cant predict the behavior of such attacks to the web application.
Attack example : A simple JavaScript to read cookie is added to your page and then this cookie is sent to attackers action page which records all the information in the cookie created by yuor web application.
Refer folowing url
< src=”" text=”< script”>alert(document.cookie)< / script>”> < / iframe>
If we are using the variable $text somewhere in our page and it is not escaped then this URL will render a new iframe on the place where you are using the $text variable.
In this way you can insert any of your script in another webpages and fool the users to get important information from them. But normally in such kind of attckes user never understand that there important information is being hacked by some other application.
This is the simple thing and will not cause much damage to your sitee, but attacker can do much more than this with the help of XSS.
In this way you can insert any of your script in another webpages and fool the users to get important information from them. But normally in such kind of attckes user never understand that there important information is being hacked by some other application.
This is the simple thing and will not cause much damage to your sitee, but attacker can do much more than this with the help of XSS.
Other XSS attacks
Attackers may inject JavaScript, VBScript, ActiveX, HTML in webpages.
This kind of attacks are done for hacking user accounts , changing of user settings, cookie theft, or advertising.
This kind of attacks are done for hacking user accounts , changing of user settings, cookie theft, or advertising.
How to prevent such attacks ?
Clensing the Query String variables is the only way you can prevent such attackers.
Clensing the Query String – PHP :
string strip_tags ( string $str [, string $allowable_tags ] )
This function tries to return a string with all HTML and PHP tags stripped from a given str.
string htmlentities ( string $string [, int $quote_style [, string $charset [, bool $double_encode ]]] )
use above functions or you can write your own function which combines all such stripping functionlities.
