Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Jul 2008
    Posts
    24
    Thanks
    3
    Thanked 1 Time in 1 Post

    web dev. security - XSS/CSRF

    I think this forum should have a security discussion area.

    I have a few questions about security, and would appreciate any input anyone can give.
    About cross site scripting.
    Actually, I think what this is is called "Cross-site request forgery".

    One thing I know I need to do to protect against cross site scripting is to validate all user-generated data that will be displayed to my page. What would be the best way to do this? Is it just running htmlspecialchars() (in php) for all user-generated data that will be displayed in the web page?

    Another thing I am wondering about is how to protect against cross-site scripting from other sites. I just did an experiment where I copied my login form's html and used firebug to plant inside of http://www.google.ca/ig?hl=en. I clicked 'login', and it worked. This isn't good.

    What I was going to do about this was make sure whenever a post is sent that $_SERVER[''HTTP_REFERER'] indicated it was sent from my website, but the php manual seems to say this doesn't help much:
    The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
    But I guess that in the case of cross site scripting the chances are the hacker can't modify HTTP_REFERER on the clients computer (?). Because all he can do is plant html/javascript on some other site. As long as the client's browser supports sending the HTTP_REFERER, I suppose this should be safe to trust.

    I just tried this after login (with a different POST action on my site) to see if the session cookie would still be sent - and it was. It still worked.

    Does anyone have any insight? Does anyone know of any good resources for this?
    Last edited by mdg583; 11-21-2008 at 04:59 PM. Reason: mistake

  • #2
    New Coder
    Join Date
    Jul 2008
    Posts
    24
    Thanks
    3
    Thanked 1 Time in 1 Post
    To answer my own question, I just found some suggestions here.

    Basically, another method is to have your server plant in every form a hidden field with a key, which is then checked whenever a POST is received. I think I would do this by storing generated random keys in the SESSION and then checking against the SESSION whenever a POST is received.

  • #3
    Regular Coder mic2100's Avatar
    Join Date
    Feb 2006
    Location
    Scunthorpe
    Posts
    562
    Thanks
    15
    Thanked 28 Times in 27 Posts
    that would be a good way of preventing logging on from a external form, i would also change the key each time a form is produced to increase the security a bit more. the HTTP_REFERER from wot i understand can be faked since it is sent in the Header of the page (just like email headers), so cannot be trusted.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •