Solved

How can I protect my web site from XSS attacks?

Posted on 2009-04-02
9
262 Views
Last Modified: 2012-08-13
How can I understand that my web site is vulnerable to those attacks?

do I need to put an extra code inside my HTML pages for extra protection?
thank you in advance
0
Comment
Question by:Braveheartli
  • 6
  • 2
9 Comments
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048406

You should first check whether your site allow input of html code or if not its fine if  yes it is vulnerable.

http://www.webmaster-talk.com/php-forum/47587-tip-prevent-xss-attacks.html


"For starters, disallow all HTML. Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like < and > that mark the beginning/end of a tag are turned into < and >. It is not enough to simply use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload. Even an innocent looking <strong> tag can contain some nasty code."

What you have to do is filter / verify any input that you will echo
back. Generally, filtering out <>#() &[ ] / \ ;  and quotes will stop most
attacks. However, see the following url for a hacker's view of ways
around many filter traps:

http://ha.ckers.org/xss.html
0
 
LVL 1

Author Comment

by:Braveheartli
ID: 24048560
Dear mhaq_java

thank you very much for the valuable information,

Should I insert some javascript code in everypage to protect myself from XSS?
Is there a common function for protection?

I have some text areas working with ASP to receive web site communication form?
Can it be used for this attacks?

How can I check my web site if it allows input of html codes?
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048671

If you want to allow special characters(that will be no harm for users)

you can make a server side method  the take a string as argument. and check that string for special characters.
If special characters found then replace them with their appropriate html codes
you can found html code here: http://www.ascii.cl/htmlcodes.htm

If you want to completely stop special character from entering then make expression and apply it on java script. and validate your fields
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048681

and also put the following piece of code in your text area and check it execute or not.

<script>alert('hi')l</script>
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048702
and one more thing to mention you can take this example form expert exchange .

On clicking the submit button it changes the special characters to their html  ascii code  and you can see on page it doesn't show any problem
 
<script>
0
 
LVL 2

Accepted Solution

by:
mhaq_java earned 500 total points
ID: 24048742
See the following method working on this site. On submit this funtion is called and it works fine
function replacePlainText(n)

				{

					var field = document.getElementById(n);

					var text = field.value;

					text = text.split('<').join('&lt;');

					text = text.split('>').join('&gt;');

					field.value = text;

					return true;

				}

				

				function replacePlainTextInvert(n)

				{

					var field = document.getElementById(n);

					var text = field.value;

					text = text.split('&lt;').join('<');

					text = text.split('&gt;').join('>');

					field.value = text;

					return true;

				}

Open in new window

0
 
LVL 1

Author Comment

by:Braveheartli
ID: 24048764
I insert this <script>alert('hi')l</script> and nothing happend :)
is that means my page is safe
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048828
sorry their was the problem in script kindly check this one
<script>alert('hi');</script>

and on the safe side also implement the method if possible.
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 24049473
Please be sure to repeat the removal on the server. It is very easy to turn JS off and circumvent such a script.
I could even do
javascript:replacePlaintext=function() { return true }


0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Need help editing script 3 66
site launch date and last modified date 3 82
AWS CLI issues with Tags 3 65
How can I save all open docs into a given folder 12 87
Preface In the first article: A Better Website Login System (http://www.experts-exchange.com/A_2902.html) I introduced the EE Collaborative Login System and its intended purpose. In this article I will discuss some of the design consideratio…
JavaScript has plenty of pieces of code people often just copy/paste from somewhere but never quite fully understand. Self-Executing functions are just one good example that I'll try to demystify here.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now