XSS stands for Cross Site Scripting. In such attacks a hacker seems to inject some scripts into your site source code.Lets see some basic precautions to protect site from XSS attack.
Mainly hackers have two objectives in doing XSS:
1) Redirecting all site visits to some other site
2) Running a malicious script on user PC and stealing his account or other private information.
XSS increases possibility when you are taking an input from user and showing it on some page of site. Hacker tries to find such an input and enters his malicious script code. The script gets injected into your site. Such an input can be a HTML form or GET passed in URL.
To protect site from such a script input,always have moderate content on site. If your site is big and moderating is not easy then you can have auto moderator script which checks for invalid inputs.
For example to run a script hacker must use <script> html tag. To embed it in your page he will input <script>. So instead of keeping angular bracket < , replace it by < before displaying iton page. When you use < it won’t be treated as a HTML tag and script won’t be executed.
Also disable “.js” in input, so it will block all JavaScripts. You can also disable external links for more security.
Advance level: One can think of advance level algorithm like this.
Store checksum of all your files. Compare checksum time by time setting a cron job. If change is found restore original file
Mainly hackers have two objectives in doing XSS:
1) Redirecting all site visits to some other site
2) Running a malicious script on user PC and stealing his account or other private information.
XSS increases possibility when you are taking an input from user and showing it on some page of site. Hacker tries to find such an input and enters his malicious script code. The script gets injected into your site. Such an input can be a HTML form or GET passed in URL.
To protect site from such a script input,always have moderate content on site. If your site is big and moderating is not easy then you can have auto moderator script which checks for invalid inputs.
For example to run a script hacker must use <script> html tag. To embed it in your page he will input <script>. So instead of keeping angular bracket < , replace it by < before displaying iton page. When you use < it won’t be treated as a HTML tag and script won’t be executed.
Also disable “.js” in input, so it will block all JavaScripts. You can also disable external links for more security.
Advance level: One can think of advance level algorithm like this.
Store checksum of all your files. Compare checksum time by time setting a cron job. If change is found restore original file
Comment