[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How can I protect my web site from XSS attacks?

Posted on 2009-04-02
9
Medium Priority
?
309 Views
Last Modified: 2012-08-13
How can I understand that my web site is vulnerable to those attacks?

do I need to put an extra code inside my HTML pages for extra protection?
thank you in advance
0
Comment
Question by:Braveheartli
  • 6
  • 2
9 Comments
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048406

You should first check whether your site allow input of html code or if not its fine if  yes it is vulnerable.

http://www.webmaster-talk.com/php-forum/47587-tip-prevent-xss-attacks.html


"For starters, disallow all HTML. Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like < and > that mark the beginning/end of a tag are turned into < and >. It is not enough to simply use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload. Even an innocent looking <strong> tag can contain some nasty code."

What you have to do is filter / verify any input that you will echo
back. Generally, filtering out <>#() &[ ] / \ ;  and quotes will stop most
attacks. However, see the following url for a hacker's view of ways
around many filter traps:

http://ha.ckers.org/xss.html
0
 
LVL 1

Author Comment

by:Braveheartli
ID: 24048560
Dear mhaq_java

thank you very much for the valuable information,

Should I insert some javascript code in everypage to protect myself from XSS?
Is there a common function for protection?

I have some text areas working with ASP to receive web site communication form?
Can it be used for this attacks?

How can I check my web site if it allows input of html codes?
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048671

If you want to allow special characters(that will be no harm for users)

you can make a server side method  the take a string as argument. and check that string for special characters.
If special characters found then replace them with their appropriate html codes
you can found html code here: http://www.ascii.cl/htmlcodes.htm

If you want to completely stop special character from entering then make expression and apply it on java script. and validate your fields
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048681

and also put the following piece of code in your text area and check it execute or not.

<script>alert('hi')l</script>
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048702
and one more thing to mention you can take this example form expert exchange .

On clicking the submit button it changes the special characters to their html  ascii code  and you can see on page it doesn't show any problem
 
<script>
0
 
LVL 2

Accepted Solution

by:
mhaq_java earned 2000 total points
ID: 24048742
See the following method working on this site. On submit this funtion is called and it works fine
function replacePlainText(n)
				{
					var field = document.getElementById(n);
					var text = field.value;
					text = text.split('<').join('&lt;');
					text = text.split('>').join('&gt;');
					field.value = text;
					return true;
				}
				
				function replacePlainTextInvert(n)
				{
					var field = document.getElementById(n);
					var text = field.value;
					text = text.split('&lt;').join('<');
					text = text.split('&gt;').join('>');
					field.value = text;
					return true;
				}

Open in new window

0
 
LVL 1

Author Comment

by:Braveheartli
ID: 24048764
I insert this <script>alert('hi')l</script> and nothing happend :)
is that means my page is safe
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048828
sorry their was the problem in script kindly check this one
<script>alert('hi');</script>

and on the safe side also implement the method if possible.
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 24049473
Please be sure to repeat the removal on the server. It is very easy to turn JS off and circumvent such a script.
I could even do
javascript:replacePlaintext=function() { return true }


0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface This is the third article about the EE Collaborative Login Project. A Better Website Login System (http://www.experts-exchange.com/A_2902.html) introduces the Login System and shows how to implement a login page. The EE Collaborative Logi…
Introduction Knockoutjs (Knockout) is a JavaScript framework (Model View ViewModel or MVVM framework).   The main ideology behind Knockout is to control from JavaScript how a page looks whilst creating an engaging user experience in the least …
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
Suggested Courses
Course of the Month17 days, 16 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question