The Server Pages

»

TheServerPages Articles

»

Webmasters

»

PHP

»

Security

Cross-Site Scripting

Author: Wojjie     Posted: 2004-05-12     Viewed: 6,704

What is it?

Cross-Site Scripting is when a visitor is able to input html/javascript code inito a website and have it display this code.

Common Causes

When text input is not properly checked for html/javascript tags and is displayed directly to a browser.

Examples and their exploits

Example 1 (code):
...
$comment=$_GET["comment"];
if ($comment) {
	echo $comment;
}
...
Example 1 (exploit):

URL:
page.php?comment=<script>alert("pop up");</script>
Example 1 (explaination):

In this example, all HTML tags and Javascript code gets thrown back to the browser. This is a simple example, and would only affect the client that submited that code in, but if this $comment was saved and later displayed to other users, the end result could be bad. One possible thing an attacker can do is to insert javascript code that sends all visitors to that page to another page of his choosing.

What will end up happening in this example is the user will be thrown a javascript alert with the words 'pop up' in it. Exactly like the one here.

Example 1 (solution):

Since $comment is displayed back to the browser, it is easiest to escape the < > tags, so the browser does not try to process it. Or if you are not expecting users to use a < or > character, just remove all of those characters.

Escaping the < > characters:
...
$escapeChars[0]=array('<', '>');
$escapeChars[1]=array("&lt;", "&gt;");
$comment=str_replace($escapeChars[0], 
	$escapeChars[1], $_GET["comment"]);
...
Removing the < > characters:
...
$escapeChars[0]=array('<', '>');
$comment=str_replace($escapeChars[0], "", $_GET["comment"]);
...


Article Sections:
Common Mistakes and their Solutions (2004-05-11)
About various common vulnerabilities found in PHP sites, and solutions on how to prevent them.
SQL Injection (2004-05-11)
SQL Injection is when a visitor injects SQL code that manages to get processed by the SQL server.
GET/POST Variable Manipulation (2004-05-13)
When a visitor is able to cheat the website by modifying GET/POST variables that contain sensitive information and therefore change things that he/she should not be able to.

Comments

Copyright © 2004-2015: TheServerPages.com