Posted by Admin in Questions & Answers
In this post I’ll show you cross site scripting example , what is cross site scripting and how to protect your website from cross site scripting attack.
What Is Cross Site Scripting
Cross Site Scripting is a type of computer security vulnerability where malicious users can add carefully-constructed comments to webpages with the intention of fooling web browsers.
Cross site scripting flaws occur whenever an application takes untrusted¸data and sends it to a web browser without proper validation and escaping. Cross site scripting allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Cross Site Scripting Example
I’ve created web application XSS_App that is vulnerable to cross site scripting attack.
XSS_App contains :
- index.php – form that allows visitors to post comments
- hackspccomments.php – PHP script that stores comments in the database table_comments.sql
- viewcomments.php – PHP script that allows visitors to view all comments
The visitor can see all comments on viewcomments.php . viewcomments.php retrieves comments from the database table_comments.sql .
PHP script 1.1 that retrieves comments :
So, let’s assume that visitor 1 “John” publish the comment “Your website is the best!” ; visitor 2 “Jake” publish the comment “I don’t like your website ” ; visitor 3 “Max” publish the comment “Good!” .
In the database table_comments.sql will be stored :
When the visitor clicks the link : “View all comments!” , it will run PHP script 1.1 that retrieves all data from table_comments and show all comments !
Source code from viewcomments.php :
You can try XSS_App on this LINK !
How To Protect Your Website From Cross Site Scripting Attack
viewcomments.php protected with htmlspecialchars() function :