Advice, tutorials and tips for beginner and experienced software/web application developers
A Quick Note on Cross Site Scripting (XSS)Date Published: 24/05/2009 13:27
Recently I have checked through my server logs and have come across some rather strange requests, originating from a variety of IP addresses. The requests came through with either an innocuous or non existent user agent and had very strange variables in the query string. Immediately I recognised these as an attempt to perform a cross site scripting (XSS) attack on my site. It just so happens that I was well aware of this sort of technique whilst building the site and therefore I have many facilities in place to protect my server, my data and most importantly, my users. Here is just a quick overview of cross site scripting and what you need to be doing to make sure there isn't a successful attack on you.
How do XSS Attacks Work?
How Do I Know if I am Being Subjected to XSS Attacks?
The first thing to consider is whether you can detect if XSS attacks are happening to your server. Most apache installations will be logging to an access_log file by default so you may want to start by having a browse through that to see if you can spot anything suspicious. Look for request URLs containing query string values you would not usually expect, which may indicate malicious intent. I find the easiest method of tracking requests is by logging to a database each request which is made. What you put in the database is up to you but including information such as user agent, IP address, script requested, query string and referer can be very useful for future reference. Using a database as opposed to just relying on apache's access log also allows you to quickly search your records for similar incidents.
How Can I Prevent a Cross Site Scripting Attack?
There are a few measures you can take to ensure these attacks are not a problem for you. Preventing attempts by hackers is very difficult but validating so they are not successful is quite simple. Here is a list of things to consider, if you feel your site may be vulnerable in these areas I look into fixing it right away.
- Register Globals OFF (PHP and Apache Only) - One of the easiest ways to prevent a large number of attacks is to ensure globals are switched off. By having them switched on you are giving hackers the easy access to your variables. If you require globals try to change your code so that you don't.
- Validate ALL User Input - This may seem an obvious one but people don't realise that user input is NOT only form input. Just because your users never actively change the query string themselves this doesn't mean they won't try. Validate all input pessimistically and don't take it for granted that whats in there is what you are expecting. Cookies are also something that are not often validated. There are ways to change cookie values maliciously so take extra care with these also.
- Parameterise Your SQL - Pass data to your database server using parameters and not just plain SQL, this way your queries won't get hi-jacked.
You may feel that the likelihood of someone attempting to hack your site is very slim but don't take that for granted. XSS attacks are usually carried out by bots searching the web for potential targets as opposed to a human being. These bots are regularly based on machines infected with a virus so chances are the owner of the computer has no idea what is happening. A bot will not hold back from hacking your site just because it only has a handful of visitors, as it only takes one of those visitors to be infected from the results the hack for it to be worthwhile. As web masters it is our responsibility that we don't expose our visitors to potential viruses so however big or small your site, you should take prevention of these kinds of attacks very seriously.
Sorry comments are currently disabled for maintenence
5 Most Recent Articles
An article for users of MySQL databases describing how they can use advanced stored procedures to improve efficiently in their applications.
A guide for LAMP developers to using stored procedures in MySQL and extending the MySQLi class.
An introduction to using the xlwt and xlrd modules for python to interact with Microsoft Excel spreadsheets.
This is an introduction to making HTTP requests from a python script/application using httplib.