Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Php: XSS

hello world

  • Please log in to reply
No replies to this topic

#1 John

John

    CC Mentor

  • Moderator
  • 4450 posts
  • Location:New York, NY

Posted 23 September 2007 - 07:12 PM

Aside from SQL injections, the next most popular security exploit is cross site scripting or XSS. While SQL injections deal with how data is inputed to the database XSS deals with how data is outputted from the database. While a good "cleaning" function (which parses data to be inputed into the database) could prevent both SQL injections and XSS, most do not. XSS occures when a piece of functioning code is stored in a database and displayed by simply echoing it.

Most, if not all XSS scripts involve some sort of malicious JavaScript being injected into the database and displayed. The JavaScript can cause unwanted popup's, download a virus, or steal your cookies. While XSS isn't so much a security flaw to the server, it is a large security flaw to the user who is browsing your site.

Any input form that takes data directly from the user and does not clean its input and output is open to XSS. For example, if you insert this into a form which doesn't parse output, you will receive a JavaScript alert window.

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

The code above will pass through most SQL injection prevention functions. So the main way to combat XSS is to clean your output before it is displayed. You can clean it just as easily before it is entered into the database, but that causes your database to become larger and retain more data - which is why most XSS prevention is done when the database information is outputted.

Generally what most people do when the "addslashes()" to content that is entered into the database, is they "stripslashes()" the output - because who really

wants to see everything escaped with an extra slash? It would look like this;

It\'s cold today" or "<font color=\"#FF0000\">Hello World<\/font>


Striping the slashes and echoing the data would case the html to actually execute. Rather than seeing the html itself, all you will see is "Hello World" and

it will be colored. To prevent this its a good idea to pass all your data through htmlentities() which will convert all the special characters ( <, and ", and >) into their html entity equivalent such as   or " that way when they are echoed, it will actually display

<font color="#FF0000">Hello World</font>

rather than just

Hello World


In my scripts, I usually create a function called cleanOutput() that way every time I echo something from the database it dont have to call stripslashes(htmlentities($output)) every time, I can just call a single function. Moreover, if that function proves to be too week, I can always make it stronger and not have to update every outputed line.

function cleanOutput($var) {
$var = stripslashes($var);
$var = htmlentities($var);
return $var;
}


Doing this:
echo clanOutput($output)


Will clean your output. Although there is a lot more "cleaning" you can do, I've found that this is the simplest and has yet to fail me.
  • -1





Also tagged with one or more of these keywords: hello world

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download