Knowledgebase: Security
How to stop XSS & Cross site scripting attacks in your code
Posted by Dan Moses on 24 October 2007 06:27 PM
Here is a description of the steps that can be taken to prevent iframes from being uploaded directly from the browser.

A sample code is given at the end that can be embedded into the html.



Description:
Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet.


Defenses:
Validate your input paramaters with regulars expressions (Pattern Matching): http://www.regular-expressions.info
var objRegExp = /^\([1-9]\d{2}\)\s?\d{3}\-\d{4}$/; (Phone Number: (555)555-5555)
var objRegExp = /^\d{1,2}(\-|\/|\.)\d{1,2}\1\d{4}$/ (Date Format: mm/dd/yyyy)
var objRegExp = /(^-?\d\d*$)/; (Integer: digits or negative number)


Strip-out dangerous characters if not required in form submission:
& Ampersand
' Single Quote
" Double Quote
> Less Than
< Greater Than
( Open Bracket
) Close Bracket
[ Open Square Bracket
] Close Square Bracket
; Semicolon
: Colon
/ Forward Slash
{ Left Brace
} Right Brace
! Exclamation
-- Double Dash
= Equal Sign
_ Underscore


Encode required characters via the ISO 8859-1 Latin 1 character set: http://www.htmlhelp.com/reference/charset/iso032-063.html
Encode & to &
Encode ' to '
Encode " to "
Encode > to >
Encode < to <
Encode ( to )
Encode ) to (
Encode [ to ]
Encode ] to [
Encode ; to ;
Encode : to :
Encode / to /
Encode { to }
Encode } to {
Encode ! to !
Encode -- to --
Encode = to =
Encode _ to _


One minor defense, that's often worth doing, is the "HttpOnly" flag for cookies. Scripts that run in a web browser cannot access cookie values that have the HttpOnly flag set. This is currently implemented only for Microsoft Internet Explorer.
Code Examples:
ASP (VBSCRIPT) Simple Filter:
<%@ LANGUAGE="VBSCRIPT" %>
<%
// XSS Simple Filter

ExampleInput = ";:!--=&<'XSS_Check"">{}()[]"
ExampleOutput = HackerSafe_Filter(ExampleInput)
response.write(ExampleOutput)

function HackerSafe_Filter(cleanvar)
// Encode Ampersand
cleanvar = replace(cleanvar,"&", "&")
// Encode Single Quote
cleanvar = replace(cleanvar,"'", "'")
// Encode Double Quote
cleanvar = replace(cleanvar,"""", """)
// Encode Less Than
cleanvar = replace(cleanvar,">", ">")
// Encode Greater Than
cleanvar = replace(cleanvar,"<", "<")
// Encode Close Bracket
cleanvar = replace(cleanvar,")", ")")
// Encode Open Bracket
cleanvar = replace(cleanvar,"(", "(")
// Encode Close Square Bracket
cleanvar = replace(cleanvar,"]", "]")
// Encode Open Square Bracket
cleanvar = replace(cleanvar,"[", "[")
// Encode Semicolon
cleanvar = replace(cleanvar,";", ";")
// Encode Colon
cleanvar = replace(cleanvar,":", ":")
// Encode Forward Slash
cleanvar = replace(cleanvar,"/", "/")
// Encode Left Brace
cleanvar = replace(cleanvar,"}", "}")
// Encode Right Brace
cleanvar = replace(cleanvar,"{", "{")
// Encode Exclamation
cleanvar = replace(cleanvar,"!", "!")
// Encode Double Dash
cleanvar = replace(cleanvar,"--", "--")
// Encode Equal Sign
cleanvar = replace(cleanvar,"=", "=")
// Encode Underscore
cleanvar = replace(cleanvar,"_", "_")
HackerSafe_Filter = cleanvar
end function
%>


PHP Simple Filter:
// XSS Simple Filter

$ExampleInput = ";:!--=&<'XSS_Check\">{}()[]";
$ExampleOutput = HackerSafe_Filter($ExampleInput);
echo $ExampleOutput;

function HackerSafe_Filter($cleanvar){
// Encode Ampersand
$cleanvar = str_replace("&", "&",$cleanvar);
// Encode Single Quote
$cleanvar = str_replace("'", "'",$cleanvar);
// Encode Double Quote
$cleanvar = str_replace("\"", """,$cleanvar);
// Encode Less Than
$cleanvar = str_replace(">", ">",$cleanvar);
// Encode Greater Than
$cleanvar = str_replace("<", "<",$cleanvar);
// Encode Close Bracket
$cleanvar = str_replace(")", ")",$cleanvar);
// Encode Open Bracket
$cleanvar = str_replace("(", "(",$cleanvar);
// Encode Close Square Bracket
$cleanvar = str_replace("]", "]",$cleanvar);
// Encode Open Square Bracket
$cleanvar = str_replace("[", "[",$cleanvar);
// Encode Semicolon
$cleanvar = str_replace(";", ";",$cleanvar);
// Encode Colon
$cleanvar = str_replace(":", ":",$cleanvar);
// Encode Forward Slash
$cleanvar = str_replace("/", "/",$cleanvar);
// Encode Left Brace
$cleanvar = str_replace("}", "}",$cleanvar);
// Encode Right Brace
$cleanvar = str_replace("{", "{",$cleanvar);
// Encode Exclamation
$cleanvar = str_replace("!", "!",$cleanvar);
// Encode Double Dash
$cleanvar = str_replace("--", "--",$cleanvar);
// Encode Equal Sign
$cleanvar = str_replace("=", "=",$cleanvar);
// Encode Underscore
$cleanvar = str_replace("_", "_",$cleanvar);
Return $cleanvar;
}
?>




READ MORE ABOUT XSS -> http://en.wikipedia.org/wiki/Cross-site_scripting

(798 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).