Understanding XSS attacks

pepe_lepew1962 · January 26, 2012, 3:47am

Hello:

I am really trying to understand XSS attacks and can’t seem to wrap my head around it, I would rather seem like a fool than program like one with holes in it. My problem is understanding how an attack occurs. Let’s say Mary logs into the system and creates a record in the table via an html form. I have php filters and validation for the data before it actually goes into mysql table. My question is how does John attack my website? Or more important, how does he actually change files? If he were to have a log in and gains access because it doesn’t take much to register, how? Is it a matter of the filter being bad and his XSS scipt is in a record and when someone open/views that record (field) the script is launched? I have read lots on how the javascript, for example, is placed in the url or form fields but nothing explains whether the information is saved and launched via the record stored in the database.

FizixRichard · January 26, 2012, 2:50pm

Its long but give this a read: http://ha.ckers.org/xss.html

It says it doesnt cover basics but I think as long as you know what an xss attack is, it explains it all pretty well.

Basically a simple XSS attack example is when someone exploits some kind of input to write malicious code into your database.

For example, a comment posting system.

Malicious user adds some javascript or other code to a post that steals the users cookie or session data

User reads comment and gets their cookie or session data stolen.

If you clean EVERY input on your website properly you are pretty safe, there is more to it than that but thats the fundamentals. So cleanse any HTML, javascript etc. from inputs and validate the input to make sure its safe.

One thing that makes XSS attacks particularly nasty is the inventive ways malicious users come up with to get past your security.

One thing about the site listed, thats nice, is that it provides you with loads of harmless XSS attacks (all will create a popup that says XSS), but shows the method of starting the attack, so you can plug those examples into your forms and see what happens. If the code executes you have a vulnerability.

A tip:

I have an input cleaner class on all of my applications, every single input be it a GET, POST or whatever, goes through it and it cleanses the data. Of course you want to be validating on both ends (in and out) on top of that.

Then use a site like that and try to compromise your site, see what happens ACROSS MULTIPLE BROWSERS, because your safe on one doesnt make you safe on others.

pepe_lepew1962 · January 26, 2012, 5:02pm

Thanks for the response. So XSS is all about the data in the database that then causes the attack, correct? And the solution is filtering and santizing, input and output, correct?

FizixRichard · January 26, 2012, 5:08pm

Essentially yes, but its a bit more complicated than that.

It’s where a user exploits your input fields or URL (or anywhere, where data is coming into your application), injecting malicious code into the system that is then executed or stored (and later displayed), so it can be more than the DB and have a greater scope than that.

The attack usually happens on the display (like the comment example, bad user injects malicious code into a comment, other users than view the comment and that malicious code executes doing stuff that you and they don’t want to happen).

Sanitizing and validating your input and output is whats important though.

Topic		Replies	Views
XSS am i correct in my understanding? General Web Dev	5	1889	April 10, 2018
PHP & MySQL - Protection From Attacks? PHP	2	313	August 16, 2011
Is XSS only an issue for badly built websites? Server Config security	4	1111	October 8, 2014
Security is my obstical... please help PHP	2	390	September 11, 2011
$_SERVER['DOCUMENT_ROOT'] and XSS PHP	20	3389	October 23, 2014

Understanding XSS attacks

Related topics