Tuesday, May 30, 2006

Cross Site Scripting - Hijacked Web Sites

I found a very good article on cross site scripting. This particular type of hack is very disconcerting because someone could basically take over your site and redirect users elsewhere, steal passwords and data.

cross site scripting

This article brings up a few side issues to consider in relation to security:

I choose never to store passwords in my browser. You have that option but this is an obvious major focus of hackers looking for your bill paying, email and banking site logins. A cross site scripting attack according to this article could allow hackers to get at this data.

PHP and other scripting languages are subject to these type of attacks and have certain vulnerabilities inherent in the way they work. Client side scripting is great but make sure everything is double checked server side. Script by it's very nature has less validation than typical server side languages. Check your work!

Preventing Cross Site Scripting

Two things to prevent server side scripting: Validate every single form entry on your web site. You can either reject invalid data, or parse out any HTML characters such as < and " and replace them with the values such as < and " This renders previously executable code meaningless.

Finally, the whole issue with checking referring pages as mentioned in previous posts. Make sure the referrers and pages coming to you are what you expect by checking them on critical forms such as login and e-commerce checkout pages. This doesn't do much good if your form has been referred away to another server but can check when information is coming into your server to ensure it's coming from the source you expect.