How to protect website from XSS attack ?

Posted By: KP On March 2, 2011 Under Internet, Security Stuff, Web Master Categories


XSS stands for Cross Site Scripting. In such attacks a hacker seems to inject some scripts into your site source code. Lets see some basic precautions to protect site from XSS attack.

programming

Mainly hackers have two objectives in doing XSS:

1) Redirecting all site visits to some other site

2) Running a malicious script on user PC and stealing his account or other private information.

XSS increases possibility when you are taking an input from user and showing it on some page of site. Hacker tries to find such an input and enters his malicious script code. The script gets injected into your site. Such an input can be a HTML form or GET passed in URL.

To protect site from such a script input, always have moderate content on site. If your site is big and moderating is not easy then you can have auto moderator script which checks for invalid inputs.

For example to run a script hacker must use <script> html tag. To embed it in your page he will input <script>. So instead of keeping angular bracket < , replace it by &lt; before displaying it on page. When you use &lt; it won’t be treated as a HTML tag and script won’t be executed.

Also disable “.js” in input, so it will block all JavaScripts. You can also disable external links for more security.

Advance level: One can think of advance level algorithm like this.

Store checksum of all your files. Compare checksum time by time setting a cron job. If change is found restore original file.

All logic paths depend upon thinking and reach to one common goal. It’s up to you how you like it.



Share with Friends ( Sharing is Caring! )


Subscribe For E-mail Notification Of Article Updates

Enter your email address:

NOTICE:
DO NOT FORGET TO CLICK ON THE VERIFICATION LINK AFTER SUBSCRIBING,THE VERIFICATION MAIL WILL BE SENT TO YOU FROM "FeedBurner Email Subscriptions".
( What is this? Why I need to do this?)

Related Posts

Post a Comment

OR