Security – XSS (PHP)

Old No Comments on Security – XSS (PHP) 15

Hello geeks,
in this post you’re going to learn a little bit about XSS. I’ll be answering following questions:
– What is XSS?
– How to use XSS?
– How to protect your website from XSS?

Let’s start!
Question: What is XSS?
XSS (Cross-Site-Scripting) is to implement your own code on a website that you aren’t owning. That means (with JavaScript) you can create cookies, load a other websites and a lot of other cool stuff without the victim of the XSS attack noticing anything .
So, for XSS you’ll use JavaScript, you also could use HTML, but that would be pretty boring. JavaScript is a programming language that runs on the client, that means on the victims browser. You can do pretty cool stuff, but I will just use an boring example.

NOTICE THAT USING XSS TO DAMAGE SOMEONE IS ILLEGAL, IF YOU FIND A BUG ON A WEBSITE, PLEASE REPORT IT TO THE ADMIN!

Question: How to use XSS?
Following scenario, a hacker is trying to run this extremely dangerous JavaScript code:

<script type="text/javascript"/>
 alert("Hello");
</script>

But how is he going to run this without uploading anything and maybe using a trustful website.
The answer is XSS. But the hacker needs to find a vulnerable component on the website.
In this scenario the hacker will use the good and old search.

The search engine searches the post and shows the input that the user typed in on the website.
Example (we put “hello” in the search):

You searched: hello

Alright, but how we can use this now for a XSS attack?
Easy, the hacker just puts his JavaScript code in the:

<--If JavaScript is activated. -->
search: <sc....></script>
ALERT: Hello

Your client will just run every tiny script that he finds in the website. Also the code,
that the hacker implemented. Now the hacker can spread the link with the search request,
and if people are going on the infected website,
the “hyperlink explores” won’t have any money on their bank accounts. 😉

Example of an URL:
www.example.com/search.php?search=<script+...>+... DANGER ...+</script>

How can I prevent XSS?

Just escape EVERY user input that you’ll print out!
Use the function “htmlentities()”. That will convert the inputs to
HTML characters.

<?php
$user_input = $_POST["input_search"];
...
echo htmlentities($user_input);
?>

Thank you for reading this post! This is a just an simple example! This was more an introduction to XSS, so please learn more about it.

Author

Kawa Acikgoez

I'm 16 year old dude from Germany programming in PHP and Java (Android).

Related Articles

Leave a comment

Back to Top