Cross Site Scripting (XSS) occurs in two forms:
- Non - Persistent
- Persistent
This usually occurs when a hacker injects javascript code into the url of the webpage, or influences someone to go to a page with javascript in the url, either way, it is the most common and least dangerous form of XSS (although this does not mean it shouldn't be analysed, because many attacks occur this way, and the safety of the people using your site would be in jeopardy).
Lets give an example:
lets say your url was
http://www.yourdomain.com?errormessage=This is an error
and your webpage looked like this:
This is an error
now what would happen if a hacker changed it to
http://www.yourdomain.com?errormessage=
Now your page wouldn't display anything, but instead it would display an alert box saying "test"
this means that the hacker can maliciously insert javascript code into the page to make it do whatever they like,
This includes sending vital personal information to other websites (Cross Site).
Persistent:
This is less common than non-persistent, yet a lot more destructive,
This type of XSS is similar, yet instead of the hacker inserting javascript into the url, they insert it into a form, eg a guest book, and when someone reads their post, the javascript is executed,
eg:
your website has a guestbook that users can enter their opinions of the site,
Now a hacker comes along and types into the guest book and clicks "Post",
Now when someone looks at the guest book, it displays the hackers code, which then alerts "test" onto the screen, this means that javascript can be in the guest book, this means the hacker can send the user to another website and back again, saving vital information along the way, without the user knowing anything.
So the outcome to this is that a hacker can steal many peoples information without the user even knowing whats going on.
Stopping XSS:
Yes you guessed it, the way to stop XSS from occurring is to stop people from entering code into the URL or into forms, this can be easily done by escaping the information,
in php you can use the function strip_tags( ) , which removes any unwanted HTML and php tags, i hope this post has helped you and given you an insight into the different ways that hackers can penetrate a site,
be sure to follow this blog, as i frequently update it with more website security news and tips,
thanks, Nick
a good video explaining XSS even more can be found at:
http://www.youtube.com/watch?v=WZCXIrW0xZ0
An interesting point to make: In this blog post i entered some javascript
if you view the source code for this page you will notice that the < > symbols have been changed to their character code, this has been done by Blogger to prevent a Cross Site Scripting
attack, this is another way of removing the threat (by changing certain characters to their character code) .
