Monday, April 14, 2008

Cross-site Scripting (XSS)

Two days back, my shoutbox was hacked :). I was not aware that people are actually visiting this, which I made long back to have similar thing for Ethos in june, 2005. After that i haven't updated the code and many things were left in between.

What actually happened: Cross Site Scripting, when we want user to input some data (which may be html/javascript) and displays it back. So if html/script tags are not properly checked it can cause trouble. Earlier I hadn't checked for javascript, iframe inputs. So somebody just inserted an iframe as message input in my shout box. And the source of iframe contained redirection to another website. So when shouts were displayed on the page the iframe code was displayed as it is and page got redirected to other page.

Luckily I checked the page just after the day this happened, So that way i actually got chance to update this orphaned code and made some fixes.

Solution : Idea is to filter meta characters such as (< , >, ' , " etc) Which will prevent browser from processing them as part of some script, they will be processed as plain text only.
So while doing in php you can do:


And to be on safer side we should also replace following characters:

replace ( with &#40;
replace ) with &#41;
replace & with &amp;
replace ' with &#39;
replace " with &#34;

Or If you are not expecting user to input these characters then you can simply replace these with null string;

So now you can enjoy Shout Box until some new bug is found or its hacked again [;)]

Related post:
SQL Attacks: Hacking (SQL injection)

No comments: