Solved

How can I protect my web site from XSS attacks?

Posted on 2009-04-02
9
268 Views
Last Modified: 2012-08-13
How can I understand that my web site is vulnerable to those attacks?

do I need to put an extra code inside my HTML pages for extra protection?
thank you in advance
0
Comment
Question by:Braveheartli
  • 6
  • 2
9 Comments
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048406

You should first check whether your site allow input of html code or if not its fine if  yes it is vulnerable.

http://www.webmaster-talk.com/php-forum/47587-tip-prevent-xss-attacks.html


"For starters, disallow all HTML. Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like < and > that mark the beginning/end of a tag are turned into < and >. It is not enough to simply use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload. Even an innocent looking <strong> tag can contain some nasty code."

What you have to do is filter / verify any input that you will echo
back. Generally, filtering out <>#() &[ ] / \ ;  and quotes will stop most
attacks. However, see the following url for a hacker's view of ways
around many filter traps:

http://ha.ckers.org/xss.html
0
 
LVL 1

Author Comment

by:Braveheartli
ID: 24048560
Dear mhaq_java

thank you very much for the valuable information,

Should I insert some javascript code in everypage to protect myself from XSS?
Is there a common function for protection?

I have some text areas working with ASP to receive web site communication form?
Can it be used for this attacks?

How can I check my web site if it allows input of html codes?
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048671

If you want to allow special characters(that will be no harm for users)

you can make a server side method  the take a string as argument. and check that string for special characters.
If special characters found then replace them with their appropriate html codes
you can found html code here: http://www.ascii.cl/htmlcodes.htm

If you want to completely stop special character from entering then make expression and apply it on java script. and validate your fields
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048681

and also put the following piece of code in your text area and check it execute or not.

<script>alert('hi')l</script>
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048702
and one more thing to mention you can take this example form expert exchange .

On clicking the submit button it changes the special characters to their html  ascii code  and you can see on page it doesn't show any problem
 
<script>
0
 
LVL 2

Accepted Solution

by:
mhaq_java earned 500 total points
ID: 24048742
See the following method working on this site. On submit this funtion is called and it works fine
function replacePlainText(n)
				{
					var field = document.getElementById(n);
					var text = field.value;
					text = text.split('<').join('&lt;');
					text = text.split('>').join('&gt;');
					field.value = text;
					return true;
				}
				
				function replacePlainTextInvert(n)
				{
					var field = document.getElementById(n);
					var text = field.value;
					text = text.split('&lt;').join('<');
					text = text.split('&gt;').join('>');
					field.value = text;
					return true;
				}

Open in new window

0
 
LVL 1

Author Comment

by:Braveheartli
ID: 24048764
I insert this <script>alert('hi')l</script> and nothing happend :)
is that means my page is safe
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048828
sorry their was the problem in script kindly check this one
<script>alert('hi');</script>

and on the safe side also implement the method if possible.
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 24049473
Please be sure to repeat the removal on the server. It is very easy to turn JS off and circumvent such a script.
I could even do
javascript:replacePlaintext=function() { return true }


0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How can I do this in Pyhton? 12 125
Problem to picture file 3 73
cookies analysis tools 2 91
Grunt Copy file to another destination. 1 33
Preface This article introduces an authentication and authorization system for a website.  It is understood by the author and the project contributors that there is no such thing as a "one size fits all" system.  That being said, there is a certa…
This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
Viewers will learn about the regular for loop in Java and how to use it. Definition: Break the for loop down into 3 parts: Syntax when using for loops: Example using a for loop:
HTML5 has deprecated a few of the older ways of showing media as well as offering up a new way to create games and animations. Audio, video, and canvas are just a few of the adjustments made between XHTML and HTML5. As we learned in our last micr…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question