Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How can I protect my web site from XSS attacks?

Posted on 2009-04-02
9
276 Views
Last Modified: 2012-08-13
How can I understand that my web site is vulnerable to those attacks?

do I need to put an extra code inside my HTML pages for extra protection?
thank you in advance
0
Comment
Question by:Braveheartli
  • 6
  • 2
9 Comments
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048406

You should first check whether your site allow input of html code or if not its fine if  yes it is vulnerable.

http://www.webmaster-talk.com/php-forum/47587-tip-prevent-xss-attacks.html


"For starters, disallow all HTML. Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like < and > that mark the beginning/end of a tag are turned into < and >. It is not enough to simply use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload. Even an innocent looking <strong> tag can contain some nasty code."

What you have to do is filter / verify any input that you will echo
back. Generally, filtering out <>#() &[ ] / \ ;  and quotes will stop most
attacks. However, see the following url for a hacker's view of ways
around many filter traps:

http://ha.ckers.org/xss.html
0
 
LVL 1

Author Comment

by:Braveheartli
ID: 24048560
Dear mhaq_java

thank you very much for the valuable information,

Should I insert some javascript code in everypage to protect myself from XSS?
Is there a common function for protection?

I have some text areas working with ASP to receive web site communication form?
Can it be used for this attacks?

How can I check my web site if it allows input of html codes?
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048671

If you want to allow special characters(that will be no harm for users)

you can make a server side method  the take a string as argument. and check that string for special characters.
If special characters found then replace them with their appropriate html codes
you can found html code here: http://www.ascii.cl/htmlcodes.htm

If you want to completely stop special character from entering then make expression and apply it on java script. and validate your fields
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048681

and also put the following piece of code in your text area and check it execute or not.

<script>alert('hi')l</script>
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048702
and one more thing to mention you can take this example form expert exchange .

On clicking the submit button it changes the special characters to their html  ascii code  and you can see on page it doesn't show any problem
 
<script>
0
 
LVL 2

Accepted Solution

by:
mhaq_java earned 500 total points
ID: 24048742
See the following method working on this site. On submit this funtion is called and it works fine
function replacePlainText(n)
				{
					var field = document.getElementById(n);
					var text = field.value;
					text = text.split('<').join('&lt;');
					text = text.split('>').join('&gt;');
					field.value = text;
					return true;
				}
				
				function replacePlainTextInvert(n)
				{
					var field = document.getElementById(n);
					var text = field.value;
					text = text.split('&lt;').join('<');
					text = text.split('&gt;').join('>');
					field.value = text;
					return true;
				}

Open in new window

0
 
LVL 1

Author Comment

by:Braveheartli
ID: 24048764
I insert this <script>alert('hi')l</script> and nothing happend :)
is that means my page is safe
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048828
sorry their was the problem in script kindly check this one
<script>alert('hi');</script>

and on the safe side also implement the method if possible.
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 24049473
Please be sure to repeat the removal on the server. It is very easy to turn JS off and circumvent such a script.
I could even do
javascript:replacePlaintext=function() { return true }


0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Problem to picture file 3 81
how to add permissions to HKEY_users. It says the path doesn't exist 10 95
exchange ,script 10 52
Renaming with batch file 9 50
Shoutout to Emily Plummer (http://www.experts-exchange.com/members/eplummer26.html) for giving me this article! She did most of it, I just finished it up and posted it for her :)    Introduction In a previous article (http://www.experts-exchang…
Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question