Servage Magazine

Information about YOUR hosting company – where we give you a clear picture of what we think and do!

Protecting your application from cross-site attacks

Sunday, April 9th, 2017 by Servage

xss-shieldCross-site scripting (XSS) is an attack where a user embeds malicious code as part of a website. This can be done for instance by submitting a comment on a blog website. If the comment contains a malicious script, it will be executed by all visitors who read the blog article. These attacks are quite common, and there are many varieties of XSS scripting. Let’s find out what methods are available to protect web applications from these vulnerabilities.

Escaping User Input

This is arguably the most important thing to do to prevent XSS attacks. On many websites, users are allowed to freely fill out forms that save the input in a database. Let’s consider the above example where a user submits a malicious comment to a blog post. The comment contains this line: <script>alert(‘Hello, World!’);</script>. If the line is saved “as is”, all visitors who see the comment will also execute the JavaScript code that the malicious user submitted.

Scripts are not the only things to escape though. Users should not be allowed to write HTML elements or inline styles using the <style> tags either. For example, the <style> tag could be used to overwrite the styles of a website, making it look different than what a developer had intended. HTML tags can be used to insert unwanted audio, video and other elements to a website.

When using PHP, you can use the htmlspecialchars() function, which escapes all of the above for you. Simply pass the content you want to escape as an argument to the function and it will return the escaped version.

Protecting Cookies from JavaScript

Malicious JavaScript like the example above can be used to read and write cookies. Since cookies often store sensitive information, such as session tokens, they should be hidden from JavaScript.

Fortunately, this is easy to implement. When creating a cookie, you must enable the HTTPOnly flag when creating a cookie. This is a boolean parameter that should be set to true when calling the setcookie() method. For other languages such as JavaScript, the HTTPOnly flag can be set in a similar manner.

Using a Framework

If you use a framework such as Laravel or Angular, any data you insert to and read from a database is automatically escaped for you. Frameworks often utilize a templating engine that allows you to insert data using a syntax like {{ $comment->message }}. However, they also let you get the unescaped version when needed. Template engines and frameworks automate what you should do with data every time when storing or retrieving it from a database. They are also well tested to do it securely.

Protecting your application from cross-site attacks, 4.7 out of 5 based on 3 ratings
Categories: Tips & Tricks


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

No comments yet (leave a comment)

You are welcome to initiate a conversation about this blog entry.

Leave a comment

You must be logged in to post a comment.