[Website] PHP Ideas: Javascript and Security (XSS Attacks)

[xBlackPlagu3x]

Hello again, E*PVP! Here's my second PHP (hopefully helpful) post.

This one is around the concept of an XSS attack. Let me define it first:

An XSS attack is when a user is capable of entering html code and then whatever webpage it is on will then process the code.

Example of a normal user:

 Spoiler

> Register Form
> User enters information
> They click "Submit"
> Registers successfully/unsuccessfully

Example of an XSS attack:

 Spoiler

Code:

// Let's say that on every webpage there is a panel where the newest created account's name is displayed
//Now let's say that for the "Username" input, they entered the following script
<script type="text/javascript">
window.location = "http://google.com/";
</script>

The script that the attacker inputted would mean that every page your user tried to browse, since his name was now registered as that script, when your page loads the newest account which is now him, it redirects the page to Google!

Obviously the registration form might not be the easiest place to use it, but if you created your own message board on your website by hand, it would definitely work when it posted the message because you have that script in there.

How to defend from it:
Well, as for the registration page, you should have a check that makes sure the username/password has no invalid characters in it. Mainly the only characters that should be allowed are Aa-Zz and 0-9.

As for your handmade message board or forums that don't yet have this protection implemented, you will need to write code that when the user submits his forum post, it turns the html tags (such as < and >) into what is called a character reference.

EDIT:

PHP Code:

mysql_real_escape_string();
//and
htmlspecialchars(); 


A big thank you to for getting these to hopefully start some of you in the right direction of what to use! (I know it even helped me, as my fix is a lot more code. >_<)

Here's an example:
You could write code that would turn something like this "&" into this: "&" which would display the same thing either way. But yeah, your code would turn the html tag like

Code:

<script>

into something like "&lessthan;script&morethan;"

Note: That isn't the real character reference for < and >

I hope this helps in some sort of way, and I apologize if I made it harder to understand. Like my other posts tagged with [Website], I'll continue to work on this post and make it easier to understand!

-xSherufanir/xBlackPlagu3x; Please rate the helpfulness of this thread! ^^

Great Resource on XXS (Cross-site) attacks: Wikipedia Cross-site scripting

[Zeroxelli]

PHP Code:

mysql_real_escape_string();
//and
htmlspecialchars(); 


Ftw

[xBlackPlagu3x]

Quote:

Originally Posted by Zeroxelli

PHP Code:

mysql_real_escape_string();
//and
htmlspecialchars(); 


Ftw

Dang, saved by the Zeroxelli again *****. Thanks. ^^

[Zeroxelli]

Quote:

Originally Posted by xBlackPlagu3x

Dang, saved by the Zeroxelli again *****. Thanks. ^^

I guess I need to shut up. xD

Edit: Btw, you might wanna post these in CO2 Programming instead of PServer guides/releases.

[xBlackPlagu3x]

Quote:

Originally Posted by Zeroxelli

I guess I need to shut up. xD

Nah, it's totally fine. Anything you can contribute is definitely worth opening your mouth for.

[Zeroxelli]

Quote:

Originally Posted by xBlackPlagu3x

Nah, it's totally fine. Anything you can contribute is definitely worth opening your mouth for.

You're right on that. Check my post in your other thread, btw.