View Full Version : web dev. security - XSS/CSRF

11-21-2008, 04:54 PM
I think this forum should have a security discussion area.

I have a few questions about security, and would appreciate any input anyone can give.
About cross site scripting.
Actually, I think what this is is called "Cross-site request forgery".

One thing I know I need to do to protect against cross site scripting is to validate all user-generated data that will be displayed to my page. What would be the best way to do this? Is it just running htmlspecialchars() (in php) for all user-generated data that will be displayed in the web page?

Another thing I am wondering about is how to protect against cross-site scripting from other sites. I just did an experiment where I copied my login form's html and used firebug to plant inside of http://www.google.ca/ig?hl=en. I clicked 'login', and it worked. This isn't good.

What I was going to do about this was make sure whenever a post is sent that $_SERVER[''HTTP_REFERER'] indicated it was sent from my website, but the php manual (http://ca.php.net/manual/en/reserved.variables.server.php) seems to say this doesn't help much:

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

But I guess that in the case of cross site scripting the chances are the hacker can't modify HTTP_REFERER on the clients computer (?). Because all he can do is plant html/javascript on some other site. As long as the client's browser supports sending the HTTP_REFERER, I suppose this should be safe to trust.

I just tried this after login (with a different POST action on my site) to see if the session cookie would still be sent - and it was. It still worked.

Does anyone have any insight? Does anyone know of any good resources for this?

11-21-2008, 05:10 PM
To answer my own question, I just found some suggestions here (http://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention).

Basically, another method is to have your server plant in every form a hidden field with a key, which is then checked whenever a POST is received. I think I would do this by storing generated random keys in the SESSION and then checking against the SESSION whenever a POST is received.

11-21-2008, 05:38 PM
that would be a good way of preventing logging on from a external form, i would also change the key each time a form is produced to increase the security a bit more. the HTTP_REFERER from wot i understand can be faked since it is sent in the Header of the page (just like email headers), so cannot be trusted.