PHP Programming/Cross Site Scripting Attacks
Problem[edit | edit source]
Cross site scripting (or XSS) is a basic description of a script sending sensitive information (such as cookies or other session identifiers) to other websites.
Usually, these attacks affect websites that content can be edited or added to. In most cases, session identifiers or even usernames/passwords are stored inside cookies. In the case somebody knows the session identifier, they can easily use it on their machine to do any malicious tasks that you would not be happy about.
Right now, if you are logged in on wikibooks or any other websites, go to that page and type this into the address bar:
These are cookies that are sent to the website each time to identify you. Easily, if your site is not XSS proof - the cracker will write anything like this:
that will send the cookie information to their website.
Prevention[edit | edit source]
$message = htmlentities($message);
Another way to do this is to overall create any kind of "protected mode" code, such as MediaWiki, BBCode or others that have been invented for purpose of easily styling/formatting user's content.
External Links[edit | edit source]
- CGIsecurity.com: Cross Site Scripting questions and answers
- OWASP Cross-site Scripting
- A Comprehensive Guide to OWASP Penetration Testing