What is XSS basically & Its prevention tips




XSS is an abbreviation of "CROSS SITE SCRIPTING". XSS is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users.Even facebook, twitter, my space and orkut have been attacked by XSS.


Types of XSS:

There are two types of the XSS attacks these are regarded as its flavours:

1. Non-persistent
These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user, without properly sanitizing the request.

2. Persistent
It is more dangerous type for servers. It occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.Thus an attacker can easily deface the site by injecting his own image.

A small description with example:
Non-persistent works at forms and some platforms same like that. The thing is to find the XSS volunerabilty there. So Suppost "abc" has a website and he allows "xyz" to enter it as user by a username and pass as you all know well. So, another person "def" finds that the site can be attacked by XSS so he creats a URL to exploit that hole and sends a message or email by Using social engineering "xyz" entises "xyz" to click that and thus when "xyz" clicks it.  So now "xyz" is logged into "abc" site and "def" sends him a URL and "xyz" clicks it and thus his session cookis is sent to "def". So "def" will hijack the session and will do what he wants.

Persistent is a kind in which "def" sends a message to "xyz" and thus he clicks it and his session is hijacked. This can be done if sites allows html tags in comment form etc.


Another example of XSS attack :
There is  a site at the net which allows user to enter some of the html tags during comments. So, any kid can actually upload an image there and even he can redirect the page to another site. Look if a paypal page is attacked by XSS then the hacker can redirect the user to his phihsing page and thus user can be hacked.

So a user comments there an see whats the process:
If a user enters:
My cat: [img]www.mysite.com/cat.jpg[/img]
Bob's script will output:

My cat: <img src="www.mysite.com/cat.jpg" />
Hope you got if you are a genius if you havent got then see:

An evil user comes to comment here and founds this so he will do something like this:

Hi, very nice article [img]http://www.google.com/images/logo.gif" onload="window.location='http://jacks-site.com/'[/img]

And, of course, evil user's comment script obediantly turns it into HTML (red is evil user's input):

Code:
Hi bob, very nice pic! <img src="http://google.com/images/logo.gif" onload="window.location='http://jacks-site.com/'" />
And every time a user views one the page where comment box is installed, they are rudely redirected to Jack's site.

Finding a site volunerable to XSS:
The simplest way to check the vulnerability is to enter the following code in the any web form present on the website
<script>alert(“XSS”)</script>
 If the site is vulnerable then a popup windows wil appear showing :
"XSS" 
 
How do I Prevent XSS Attacks?

To prevent XSS attacks, you just have to check and sanitize all user inputted data that you plan on using.

For starters, disallow all HTML. Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like < and > that mark the beginning/end of a tag are turned into < and >. It is not enough to simply use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload. Even an innocent looking <strong> tag can contain some nasty code and hacker can deface site.

If you need to allow users to enter formatted text, then you have to create some sort of code like BBCode. But make sure you check and sanitize the output or else you'll suffer from vulnerabilities like Bob. For example, if you have a [url] tag that enters a link, make sure users don't enter something like
javascript:alert("Hello");
Make sure they enter valid URL's.