XSS: Cross Site Scripting Alan Geleynse
Example <?php $name = $_GET['name']; echo "Hello $name!";
/1.php?name= alert("XSS")
Don’t display parameters
User profile page User enters their name Other users can view their name
<?php $name = htmlspecialchars($_GET['name']); echo "Hello $name!";
<SCRIPT>alert("XSS") </SCRIPT>
Only way to protect against XSS is to remove: < > This prevents the use of HTML as well
What do we do? Don’t allow “ ” unless absolutely necessary Never trust input ALL data should be processed before display
Does this really happen? 9 days ago apache.org was compromised Attackers opened a bug issue The bug was a tinyurl directing to a XSS attack The attack stole the user’s login cookie This gave them access to administrator accounts They uploaded a jsp file and could then log passwords They sent password reset s to convince users to log in
Questions