120 likes | 318 Vues
XSS: Cross Site Scripting. Alan Geleynse. Example. <? php $name = $_GET ['name']; echo "Hello $name!";. /1.php?name =<script>alert ("XSS ")</script>. Don’t display parameters. User profile page User enters their name Other users can view their name. <? php
E N D
XSS:Cross Site Scripting Alan Geleynse
Example <?php $name = $_GET['name']; echo "Hello $name!";
User profile page • User enters their name • Other users can view their name
<?php $name = htmlspecialchars($_GET['name']); echo "Hello $name!";
<SCRIPT>alert("XSS") </SCRIPT>
Only way to protect against XSS is to remove: • < • > • This prevents the use of HTML as well
What do we do? • Don’t allow “<“ and “>” unless absolutely necessary • Never trust input • ALL data should be processed before display
Does this really happen? • 9 days ago apache.org was compromised • Attackers opened a bug issue • The bug was a tinyurl directing to a XSS attack • The attack stole the user’s login cookie • This gave them access to administrator accounts • They uploaded a jsp file and could then log passwords • They sent password reset emails to convince users to log in