What are cross-site scripting (XSS ) Attacks?
Cross-site scripting attacks are attacks that target the end user instead of your actual site. Vulnerable web applications that don’t check or validate properly incoming data let arbitrary code to run on a client computer (such as Javascript). The end result can be anything from stealing cookie data or redirecting to a different site, to embedding a browser exploit on a page. Anything that can be done with Javascript (a lot!).Example of cross-site scripting (xss) attack
Let us suppose that there is a comment form in the Ramesh’s website of a section like photo gallary or article. He created a feature that let his viewers to comment on his photos or article by submitting a form. And he doesnot have much validation in this comment form.Now Naren (inturder) visits the Ramesh‘s website and he’s jealous of Ramesh‘s website traffic and wants to steal some of his website’s traffic. Then he can insert the follow code to his comment form
Hi Ramesh, very gud job, keep it up! <img src=”http://google.com/images/logo.gif” onload=”window.location=’http://Naren.com/’” />
And every time a user visits Ramesh’s article or photos, they are rudely redirected to Naren’s site.
Prevention from xss attack In php
To prevent from XSS attacks, you just have to check and validate properly all user inputted data that you plan on using and dont allow html or javascript code to be inserted from that form.Or you can you Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like <> that mark the beginning/end of a tag are turned into html entities and you can use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload.
0 comments:
Post a Comment