Knowledgebase: Security
How to stop XSS & Cross site scripting attacks in your code
Posted by Dan Moses on 24 October 2007 06:27 PM
|
|
Here is a description of the steps that can be taken to prevent iframes from being uploaded directly from the browser. A sample code is given at the end that can be embedded into the html. Description: Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet. Defenses: Validate your input paramaters with regulars expressions (Pattern Matching): http://www.regular-expressions.info var objRegExp = /^\([1-9]\d{2}\)\s?\d{3}\-\d{4}$/; (Phone Number: (555)555-5555) var objRegExp = /^\d{1,2}(\-|\/|\.)\d{1,2}\1\d{4}$/ (Date Format: mm/dd/yyyy) var objRegExp = /(^-?\d\d*$)/; (Integer: digits or negative number) Strip-out dangerous characters if not required in form submission: & Ampersand ' Single Quote " Double Quote > Less Than < Greater Than ( Open Bracket ) Close Bracket [ Open Square Bracket ] Close Square Bracket ; Semicolon : Colon / Forward Slash { Left Brace } Right Brace ! Exclamation -- Double Dash = Equal Sign _ Underscore Encode required characters via the ISO 8859-1 Latin 1 character set: http://www.htmlhelp.com/reference/charset/iso032-063.html Encode & to & Encode ' to ' Encode " to " Encode > to > Encode < to < Encode ( to ) Encode ) to ( Encode [ to ] Encode ] to [ Encode ; to ; Encode : to : Encode / to / Encode { to } Encode } to { Encode ! to ! Encode -- to -- Encode = to = Encode _ to _ One minor defense, that's often worth doing, is the "HttpOnly" flag for cookies. Scripts that run in a web browser cannot access cookie values that have the HttpOnly flag set. This is currently implemented only for Microsoft Internet Explorer. Code Examples: ASP (VBSCRIPT) Simple Filter: <%@ LANGUAGE="VBSCRIPT" %> <% // XSS Simple Filter ExampleInput = ";:!--=&<'XSS_Check"">{}()[]" ExampleOutput = HackerSafe_Filter(ExampleInput) response.write(ExampleOutput) function HackerSafe_Filter(cleanvar) // Encode Ampersand cleanvar = replace(cleanvar,"&", "&") // Encode Single Quote cleanvar = replace(cleanvar,"'", "'") // Encode Double Quote cleanvar = replace(cleanvar,"""", """) // Encode Less Than cleanvar = replace(cleanvar,">", ">") // Encode Greater Than cleanvar = replace(cleanvar,"<", "<") // Encode Close Bracket cleanvar = replace(cleanvar,")", ")") // Encode Open Bracket cleanvar = replace(cleanvar,"(", "(") // Encode Close Square Bracket cleanvar = replace(cleanvar,"]", "]") // Encode Open Square Bracket cleanvar = replace(cleanvar,"[", "[") // Encode Semicolon cleanvar = replace(cleanvar,";", ";") // Encode Colon cleanvar = replace(cleanvar,":", ":") // Encode Forward Slash cleanvar = replace(cleanvar,"/", "/") // Encode Left Brace cleanvar = replace(cleanvar,"}", "}") // Encode Right Brace cleanvar = replace(cleanvar,"{", "{") // Encode Exclamation cleanvar = replace(cleanvar,"!", "!") // Encode Double Dash cleanvar = replace(cleanvar,"--", "--") // Encode Equal Sign cleanvar = replace(cleanvar,"=", "=") // Encode Underscore cleanvar = replace(cleanvar,"_", "_") HackerSafe_Filter = cleanvar end function %> PHP Simple Filter: // XSS Simple Filter $ExampleInput = ";:!--=&<'XSS_Check\">{}()[]"; $ExampleOutput = HackerSafe_Filter($ExampleInput); echo $ExampleOutput; function HackerSafe_Filter($cleanvar){ // Encode Ampersand $cleanvar = str_replace("&", "&",$cleanvar); // Encode Single Quote $cleanvar = str_replace("'", "'",$cleanvar); // Encode Double Quote $cleanvar = str_replace("\"", """,$cleanvar); // Encode Less Than $cleanvar = str_replace(">", ">",$cleanvar); // Encode Greater Than $cleanvar = str_replace("<", "<",$cleanvar); // Encode Close Bracket $cleanvar = str_replace(")", ")",$cleanvar); // Encode Open Bracket $cleanvar = str_replace("(", "(",$cleanvar); // Encode Close Square Bracket $cleanvar = str_replace("]", "]",$cleanvar); // Encode Open Square Bracket $cleanvar = str_replace("[", "[",$cleanvar); // Encode Semicolon $cleanvar = str_replace(";", ";",$cleanvar); // Encode Colon $cleanvar = str_replace(":", ":",$cleanvar); // Encode Forward Slash $cleanvar = str_replace("/", "/",$cleanvar); // Encode Left Brace $cleanvar = str_replace("}", "}",$cleanvar); // Encode Right Brace $cleanvar = str_replace("{", "{",$cleanvar); // Encode Exclamation $cleanvar = str_replace("!", "!",$cleanvar); // Encode Double Dash $cleanvar = str_replace("--", "--",$cleanvar); // Encode Equal Sign $cleanvar = str_replace("=", "=",$cleanvar); // Encode Underscore $cleanvar = str_replace("_", "_",$cleanvar); Return $cleanvar; } ?> READ MORE ABOUT XSS -> http://en.wikipedia.org/wiki/Cross-site_scripting | |
|
Comments (0)