An XSS attack is one of the top most tried out attacks on a PHP enabled system and your PHP script may not be immune.
This attack is made by injection of code via a web form. The code injected can be any malicious client-side code, such as JavaScript, VBScript, HTML, CSS, Flash, and others. The code is used to save harmful data on the server or perform a malicious action within the user’s browser.
Sadly, many developers fail to deliver a secure code thus open to attacks. Every programmer should consider such attacks and vulnerabilities and try to make the program or script free from getting attacked. There might be a lot of reasons why these things might go unnoticed while writing codes. Lack of experience or just mere carelessness can later have adverse effects. Many Offshore IT Outsourcing services who have developers working from all over the globe are now more careful and do proper vulnerability checks before releasing the code to production.
Example
Let me give you an example which will explain you how does such attacks happen.
Below is an index.php page with the following code.
<form method="post" action="save.php"> <input type = "text" name = "name"> <input type="submit" name="submit" value="Apply"> <a href=”www.myjobs.com”> Apply for Network Administrator Jobs</a> </form>
In the above html code there is a simple form with a textbox and submit button. On click of the button the form is submitted to save.php for further processing.
A genuine user will fill up his/her name but an attacker can inject code instead of name.
Suppose on save.php just prints out the name.
echo $_POST['name'];
Suppose instead of writing a plane name the attacker inputs <script>alert(‘HaHa You are attacked!!’);</script>.
If the scripts are not filtered the user will see the popup with message “HaHa You are attacked!! “.
Such JavaScript alert messages though are not harmful still are malicious. But think about what could happen in the JavaScript code was written to steal a user’s cookie and extract sensitive information from it? There are far worse XSS attacks than a simple alert() call.
As mentioned earlier, application development outsourcing or web development outsourcing has its ups and downs. The most common mistake is failing to perform functional tests in end user’s environment. To ensure your app works well, your testing procedures should closely mimic the scenarios experienced by your expected real end users. You may run into problems if outsourced developers need to simulate or hard-code different use cases.
The other thing to be careful about is related to Project Management Outsourcing. Hiring a Project Manager with poor communication skills can lead to problems as well. Effective communication is essential for development, and a language barrier can make communication much more difficult. It’s crucial that the people you work with understand what you’re saying, including the finer details. Otherwise, you run the risk of getting end results that won’t meet your expectations.
Types of XSS Attacks
- Non-Persistent: The kind of attack shown in the above example falls under this category. It means attacks in which the code is not actually stored on the server but is rather presented to the user.
- Persistent: This attack is more dangerous one in which the code is actually injected into server.
Preventing XSS Attacks
Preventing a webpage from an XSS attack should always be there in your mind. You can better create a function that prevents these attacks and call it every time. Fortunately, it’s very simple to prevent these attacks. You should never trust a user that he or she will always input proper data. There are millions of attackers sitting online just to find a prey.
Every bit of data must be validated on input and escaped on output. This is the golden rule of preventing XSS.
To prevent attacks we should follow data validation, data sanitization and output escaping.
Data Validation
It is a process where you validate data according to its requirement. Every piece of data must be validated.
Eg : When you want to validate a phone number you should only allow the user to enter numbers and discard strings or characters. And if you want to allow some special characters like “plus”,”brackets” or “dashes” as such characters are also an acceptable phone format you may use a regular expression for same.
<?php
// validates an Indian mobile number
if (preg_match('^((\\+91-?)|0)?[0-9]{10}$', $phone)) {
echo $phone . " is valid format.";
}
Data Sanitization
It’s a process where you clean up the data by removing any unwanted bits.
Eg : You may want to remove all HTML markups from the data.
<?php // sanitize HTML from the comment $comment = strip_tags($_POST["comment"]);
Output Escaping
When presenting the data as output via a browser the output should be escaped to protect its meaning.
<?php // escape output sent to the browser echo "You searched for: " . htmlspecialchars($_GET["query"]);
Summary
Never trust the data coming from users and take all required actions to prevent such attacks. You can prevent them with Data Validation and Sanitization and also by escaping Output to protect users. Perform proper vulnerability scans on all code from all developers. If the attacks occur on vulnerable codes, it can be very expensive even though your use IT Support Outsourcing or have an in house support.
