How to secured UPLOADER from XSS ??..

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
    #1

    How to secured UPLOADER from XSS ??..

    Pls help me... how to secured my uploader from XSS?...

    usually XSS get the session id from the url of your browser..
    Tags: None
    #2
    XSS stands for Cross Site Scripting.. meaning to say, XSS hacking method does not need any uploader to hack a site... technically speaking it steals admin's session to hack a site using some script like session/cookie logger.. if you want to secure your site against XSS, disable java/html where user can use it .. you can use htmlspecialchars() function to secure your site in XSS hacking.. for example.. user will post like this

    Code:
    <script>alert(document.cookie);</script>
    and will be displayed at shoutbox, for example.. your shoutbox variable is $shouts

    instead of this

    Code:
    <?
$shouts = mysql_fetch_array(mysql_query("SELECT shout FROM prefix_tablename ORDER BY time DESC LIMIT 1"));

echo "Shouter: $shouts";
?>
    you can do like this code below to be safe in XSS hacking

    Code:
    <?
$shouts = mysql_fetch_array(mysql_query("SELECT shout FROM prefix_tablename ORDER BY time DESC LIMIT 1"));

echo "Shouter: ".htmlspecialchars($shouts)."";
?>

    http://wapx.amob.com
    Applications, Games, Wallpapers, Ringtones, Videos, Themes, Screensaver and More!!!

    Comment

      #3
      How about the bbcode like the image bbcode? What's the script to prevent xss fr0m it?

      Comment

        #4
        they are using php script in xss, linking php in images, adding it in a script, etc. so you should prevent linking php files in images..

        like this
        Code:
        [img ]http://host.com/path/session_stealer.php[/img ]

        simply use str_replace,

        for example the bbcode is

        Code:
        $text = preg_replace("/\[img\=(.*?)\](.*?)\[\/img\]/is","<img src=\"$1\"></img>",$text);
        you can add str_replace on it like this..

        Code:
        $text = str_replace("php"," ",$text);
$text = preg_replace("/\[img\=(.*?)\](.*?)\[\/img\]/is","<img src=\"$1\"></img>",$text);
        if he post an image like this

        Code:
        [img ]http://host.com/path/session_stealer.php[/img ]
        it will be displayed as

        Code:
        <img src="http://host.com/path/session_stealer.">
        and it will not work.. :D

        another hint, hacker is adding their exploit in avatars .. its same as bbcode.. you can use str_replace

        http://wapx.amob.com
        Applications, Games, Wallpapers, Ringtones, Videos, Themes, Screensaver and More!!!

        Comment

          #5
          thx for that., i already secured my HTML tags.. lke what you are posting.. but the hacker use the CSS to install that XSS.. i have CSS gallery on my wapsite.. so how can i prevent from XSS uploader?.

          Comment

            #6
            Originally posted by leadiztah View Post
            thx for that., i already secured my HTML tags.. lke what you are posting.. but the hacker use the CSS to install that XSS.. i have CSS gallery on my wapsite.. so how can i prevent from XSS uploader?.
            html and java is not working in css.. uhhhm.. maybe you have been hacked using shell.. secure your uploader prevent to upload php files.. or add this in htaccess

            Code:
            php_flag engine Off
            if your server is running on phpsuexec mode, php_flag will return to 500 internal server error.. then instead of php_flag engine Off use this code bellow in your htaccess

            Code:
            <Files .htaccessl>
Order Deny,Allow
Deny from all
</Files>
RemoveType .pl .cgi .php .php3 .php4 .php5 .xml .phtml .phtm .html .htm .wml .shtm .shtml .nth
RemoveHandler .pl .cgi .php .php3 .php4 .php5 .xml .phtml .phtm .html .htm .wml .shtm .shtml .nth
            Last edited by wapxtech; 17.11.10, 03:07.

            http://wapx.amob.com
            Applications, Games, Wallpapers, Ringtones, Videos, Themes, Screensaver and More!!!

            Comment

              #7
              Thanx a lot wapxtech such a great help for us

              Comment

                #8
                Btw using htmlspecial chars in an attempt to block xss is like trying to block sql injection with magic quotes.

                Comment

                  #9
                  @creativitykills is the script ab0ve the best way to prevent sql injecti0n or xss? Or there are other ways? And can it secure an uloki forum?Thanx 4 ur opini0n.G0dbless

                  Comment

                    #10
                    How to secure from XSS (Cross-site scripting)?
                    Use: strip_tags() or htmlspecialchars().
                    Cross-site scripting - Wikipedia, the free encyclopedia

                    How to secure from UTF-7 XSS?
                    Use: header('Content-type: text/html; charset=UTF-8');, <meta http-equiv="content-type" content="text/html; charset=utf-8" />
                    UTF-7 XSS Cheat Sheet

                    How to secure from Cookie/session hijacking?
                    Use: when user loging save his IP, and every refresh check user IP with saved, if doesn't match delete session.
                    Session fixation - Wikipedia, the free encyclopedia
                    Session hijacking - Wikipedia, the free encyclopedia
                    Session poisoning - Wikipedia, the free encyclopedia
                    Cross-site cooking - Wikipedia, the free encyclopedia

                    How to secure from CSRF (Cross-site request forgery)?
                    Use: generate every refresh unique token, and check it at every refresh, like http://www.example.com/example?bla=1...oken=Jdf1S19cQ
                    Cross-site request forgery - Wikipedia, the free encyclopedia

                    How to secure from Code injection: Directory traversal/Remote file inclusion?
                    Use: only these symbolas [A-Za-z0-9_-], check if it is your file like:
                    $modules = array('forum', 'chat');
                    if(in_array($_GET['module'], $modules))
                    echo 'OK';
                    else
                    exit('Module doesn\'t exist!');
                    Code injection - Wikipedia, the free encyclopedia
                    Directory traversal - Wikipedia, the free encyclopedia
                    Remote file inclusion - Wikipedia, the free encyclopedia

                    How to secure from Malicious file upload?
                    Use: check every file MIME type, if you use not yours programs like: WYSIWYG editor, remove demo pages.

                    How to secure from HTTP Redirect?
                    Use: after header('Location: ...'); use exit(); or die();

                    How to secure from SQL injection?
                    Use: mysql_real_escape_string();
                    Last edited by MuniGod; 17.11.10, 09:10.

                    Comment

                      #11
                      @munigod can i hire you to secure every holes of my uloki forum? How much is your labor? I can only pay via paypal.

                      Comment

                        #12
                        Originally posted by Jervy View Post
                        @munigod can i hire you to secure every holes of my uloki forum? How much is your labor? I can only pay via paypal.
                        Sorry, but I work only for themselves. ;)

                        Comment

                          #13
                          Lots of buyers here! lol

                          Comment

                            #14
                            thx WAPXTECH and MUNIGOD -up-

                            Comment

                              #15
                              ADDING INFO:
                              to avoid xss attack you can also use a string replace like replacing bad or Suspicious characters into its ascii code.,
                              create a bbcode function for input and output.,
                              input function will be change that bad character to its uncomplete ascii like & #47;
                              and output function will put & #47; together...

                              So if user input something like <
                              Simply change it t0 its ascii code :D h0pe you got it

                              Added after 4 minutes:

                              ADDING INFO:
                              to avoid xss attack, post method sqli.
                              you can also use a string replace like replacing bad or Suspicious characters into its ascii code.,
                              create a bbcode function for input and output.,
                              input function will be change that bad character to its uncomplete ascii like & #47;
                              and output function will put & #47; together...

                              So if user input something like <
                              Simply change it t0 its ascii code :D h0pe you got it
                              Last edited by sm4rtgl0b3; 01.12.10, 03:15.

                              Comment

                              Previous 1 2 template Next
                              Working...
                              X