A Quick Look at Cross Site Scripting
(Page 1 of 6 )

We may not be able to completely bulletproof our websites, but we can at least try to anticipate possible attacks and secure against them. Here is one you might not have heard of: cross site scripting. With just a bit of JavaScript, a malicious attacker can use it to cause all sorts of problems. To find out more about what it is, and how to prevent your website from becoming a victim, keep reading.

Introduction

The question keeps spinning in our minds, just like a ball bouncing deeply inside the brain: is our website really secure? Surely, that’s a very tough topic to answer. But one thing is true in all cases: there are not any websites “completely” safe from attacks. Given the uncontrolled and anonymous nature of the Internet, the concept of a bulletproof website is merely a pipe dream.

More specifically, Web servers are inherently public machines, being accessible by many people around the world, and clearly exposed to several well-known attack techniques. The value of the information stored on servers varies widely, depending on what kind of sites they are hosting, but it’s always appealing to potential attackers. However, there is a lot that we can do about securing our website.

We are well aware of many attack methods which might end up exposing, modifying, or deleting sensitive data, so our site is well assured against them. Also, we have updated our software accordingly, stopped unnecessary services on the server, closed unused TCP ports, encrypted data, and the like. What else could be vulnerable? Many times, it’s not properly considered or ignored: assumptions made by developers.

Designers and programmers need to make many assumptions. Hopefully, they will document their assumptions and usually be right. Sometimes thought, developers will make poor assumptions. These might include that input data will be valid, will not include unusual characters or will be a fixed length. That brings us almost immediately to the well-known “SQL Injections,” widely documented in several articles on the Web, in conjunction with Cross Site Scripting attacks. Here is where this article comes in.

In the rest of the article, I'll cover what Cross Site Scripting is, how it works and how it can be avoided, increasing our site’s security level and, hopefully, bringing an overall improvement to our security strategy.

Next: What is Cross Site Scripting? >>
 

More Security Articles
More By Alejandro Gervasio

Comments On: A Quick Look at Cross Site Scripting

· Woah, the possibilities of this have never crossed my mind. Great article!    · Um, how is this solution better than using such built-in PHP functions as...    · I always use this:<?php/** * Remove slashes, tags and ASCIIZ from GET,...    · You *never* *ever* do something like:echo $_GET['variable'];this does not...    · Hello,I'm the author of the article.Cheers.I totally agree that echoing GET...    · Hello,Because I wrote the article, I must thank you for the comment. It's great...    · Hello again,Also,it's worthy considering that JavaScript embbeded into links, is...    · I don't think this article creates a real scary threat, If you use javascript to...    · Hello,Thank you for commenting on my article. With regard to your comment I must...    · the problem is you're not actually *validating* your input. You're just altering it...    · Thank you for your comments on this article. Well, you're correct when you say the...    · First it need to be noted that no php security scripting will replace a improperly...    · whichever admin reviewed the above scripts i submitted screwed them up.there...    · here is the second one that requires CCISECURITY.PHP<?php####### ...    · here is the third one i mentioned .it is a stand-alone secueirty class providing...    · Thank you for posting this extremely useful set of classes with reference to...    · As I posted before, I greatly appreciate the group of excellent classes you listed...   >>> Post your comment now!