Solved

How can I protect my web site from XSS attacks?

Posted on 2009-04-02
9
251 Views
Last Modified: 2012-08-13
How can I understand that my web site is vulnerable to those attacks?

do I need to put an extra code inside my HTML pages for extra protection?
thank you in advance
0
Comment
Question by:Braveheartli
  • 6
  • 2
9 Comments
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048406

You should first check whether your site allow input of html code or if not its fine if  yes it is vulnerable.

http://www.webmaster-talk.com/php-forum/47587-tip-prevent-xss-attacks.html


"For starters, disallow all HTML. Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like < and > that mark the beginning/end of a tag are turned into < and >. It is not enough to simply use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload. Even an innocent looking <strong> tag can contain some nasty code."

What you have to do is filter / verify any input that you will echo
back. Generally, filtering out <>#() &[ ] / \ ;  and quotes will stop most
attacks. However, see the following url for a hacker's view of ways
around many filter traps:

http://ha.ckers.org/xss.html
0
 
LVL 1

Author Comment

by:Braveheartli
ID: 24048560
Dear mhaq_java

thank you very much for the valuable information,

Should I insert some javascript code in everypage to protect myself from XSS?
Is there a common function for protection?

I have some text areas working with ASP to receive web site communication form?
Can it be used for this attacks?

How can I check my web site if it allows input of html codes?
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048671

If you want to allow special characters(that will be no harm for users)

you can make a server side method  the take a string as argument. and check that string for special characters.
If special characters found then replace them with their appropriate html codes
you can found html code here: http://www.ascii.cl/htmlcodes.htm

If you want to completely stop special character from entering then make expression and apply it on java script. and validate your fields
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048681

and also put the following piece of code in your text area and check it execute or not.

<script>alert('hi')l</script>
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048702
and one more thing to mention you can take this example form expert exchange .

On clicking the submit button it changes the special characters to their html  ascii code  and you can see on page it doesn't show any problem
 
<script>
0
 
LVL 2

Accepted Solution

by:
mhaq_java earned 500 total points
ID: 24048742
See the following method working on this site. On submit this funtion is called and it works fine
function replacePlainText(n)

				{

					var field = document.getElementById(n);

					var text = field.value;

					text = text.split('<').join('&lt;');

					text = text.split('>').join('&gt;');

					field.value = text;

					return true;

				}

				

				function replacePlainTextInvert(n)

				{

					var field = document.getElementById(n);

					var text = field.value;

					text = text.split('&lt;').join('<');

					text = text.split('&gt;').join('>');

					field.value = text;

					return true;

				}

Open in new window

0
 
LVL 1

Author Comment

by:Braveheartli
ID: 24048764
I insert this <script>alert('hi')l</script> and nothing happend :)
is that means my page is safe
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24048828
sorry their was the problem in script kindly check this one
<script>alert('hi');</script>

and on the safe side also implement the method if possible.
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 24049473
Please be sure to repeat the removal on the server. It is very easy to turn JS off and circumvent such a script.
I could even do
javascript:replacePlaintext=function() { return true }


0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Preface In the first article: A Better Website Login System (http://www.experts-exchange.com/A_2902.html) I introduced the EE Collaborative Login System and its intended purpose. In this article I will discuss some of the design consideratio…
I will show you how to create a ASP.NET Captcha control without using any HTTP HANDELRS or what so ever. you can easily plug it into your web pages. For Example a = 2 + 3 (where 2 and 3 are 2 random numbers) Session("Answer") = 5 then we…
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now