BR
asked on
How can I protect my web site from XSS attacks?
How can I understand that my web site is vulnerable to those attacks?
do I need to put an extra code inside my HTML pages for extra protection?
thank you in advance
do I need to put an extra code inside my HTML pages for extra protection?
thank you in advance
ASKER
Dear mhaq_java
thank you very much for the valuable information,
Should I insert some javascript code in everypage to protect myself from XSS?
Is there a common function for protection?
I have some text areas working with ASP to receive web site communication form?
Can it be used for this attacks?
How can I check my web site if it allows input of html codes?
thank you very much for the valuable information,
Should I insert some javascript code in everypage to protect myself from XSS?
Is there a common function for protection?
I have some text areas working with ASP to receive web site communication form?
Can it be used for this attacks?
How can I check my web site if it allows input of html codes?
If you want to allow special characters(that will be no harm for users)
you can make a server side method the take a string as argument. and check that string for special characters.
If special characters found then replace them with their appropriate html codes
you can found html code here: http://www.ascii.cl/htmlcodes.htm
If you want to completely stop special character from entering then make expression and apply it on java script. and validate your fields
and also put the following piece of code in your text area and check it execute or not.
<script>alert('hi')l</scri
and one more thing to mention you can take this example form expert exchange .
On clicking the submit button it changes the special characters to their html ascii code and you can see on page it doesn't show any problem
<script>
On clicking the submit button it changes the special characters to their html ascii code and you can see on page it doesn't show any problem
<script>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I insert this <script>alert('hi')l</scri pt> and nothing happend :)
is that means my page is safe
is that means my page is safe
sorry their was the problem in script kindly check this one
<script>alert('hi');</scri pt>
and on the safe side also implement the method if possible.
<script>alert('hi');</scri
and on the safe side also implement the method if possible.
Please be sure to repeat the removal on the server. It is very easy to turn JS off and circumvent such a script.
I could even do
javascript:replacePlaintex t=function () { return true }
I could even do
javascript:replacePlaintex
You should first check whether your site allow input of html code or if not its fine if yes it is vulnerable.
http://www.webmaster-talk.com/php-forum/47587-tip-prevent-xss-attacks.html
"For starters, disallow all HTML. Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like < and > that mark the beginning/end of a tag are turned into < and >. It is not enough to simply use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload. Even an innocent looking <strong> tag can contain some nasty code."
What you have to do is filter / verify any input that you will echo
back. Generally, filtering out <>#() &[ ] / \ ; and quotes will stop most
attacks. However, see the following url for a hacker's view of ways
around many filter traps:
http://ha.ckers.org/xss.html