3. Contents
• WHAT IS XSS.
• DANGERS OF NOT MITIGATING IT.
• PHP’S HELP IN STOPPING DEADLY XSS
(htmlentities)
• htmlspecialchars(),
get_magic_quotes_gpc(), stripslashes(),
mysql_real_escape_string()
• Setting Httponly attribute in PHP so to avoid
client access to protected cookies
4. What is xss
Defined earlier on.
• But never the less Cross Site Scripting(xss) is
the event when an attacker injects a script,
often JavaScript, into the output of a web
application in such a way that it is executed in
the client browser.
5. DANGERS OF NOT TAKING ACTION AGAINST IT.
Cookies will be stolen.
• Stolen cookies helps the attacker to know
your client’s username and password.
• The attacker can deploy a Trojan on your
user’s computer.
• The attacker like you can steal money from
the bank, like you are going to do today.
6. So what does uncle PHP say about this naughty boy XSS
PHP offers us with a wide range
of purifier functions namely:
i. Htmlentities
ii. htmlspecialchars(),
iii.get_magic_quotes_gpc(),
iv.stripslashes(),
v. mysql_real_escape_string()
Use of these is seen in the next slide as they are used
together to sanitize some vulnerable code.
8. Some dangerous code
htmlentities(<script src='http://x.com/hack.js'></script>)
htmlentities(<script>hack();</script>)
Neutralized.
• If let to run this code it will turn into a
harmless string below
<script src='http://x.com/hack.js'>
</script><script>hack();</scrip
t>
• Good thing about this is that this is
harmless to our client’s machine.
9. Another example: Uncle PHP at work
<?php
function mysql_entities_fix_string($string)
{
return htmlentities(mysql_fix_string($string));
}
function mysql_fix_string($string)
{
If (get_magic_quotes_gpc()) $string = stripslashes($string);
return mysql_real_escape_string($string);
}
?>
The mysql_entities_fix_string function first calls mysql_fix_string and then
passes the result through htmlentities before returning the fully sanitized
string.
10. Finally restricting access to our cookies using HttpOnly
HttpOnly allows mitigating the
risk of a client side script
accessing our protected
cookies.
• But however this will only work if the
selected browser is compatible with the
httponly attribute.
11. Using PHP to set HttpOnly
PHP supports setting of the HttpOnly flag from
version 5.0.2
Thus session cookies managed by PHP, the flag
can be set permanently in the php.ini file i.e
session.cookie_httponly = True