What is Cross-site scripting :
Cross-site scripting is a serious security issue facing Web developers. This exploit
allows malicious Web site operators to abuse the trust relationships Web users have with unrelated third-party sites and execute arbitrary scripting code on an end user's system. The easiest way to describe cross-site scripting is with an example. Suppose
that Mal, the operator of www.malicious.com decides to take advantage of this
vulnerability to affect users from Acme Widgets. Mal knows that Acme operates
an intranet site that hosts a feedback form at www.feedback.acme/form.htm. This
form processes user feedback and displays a confirmation page thanking the user
for their submission and displaying the data that was entered on the page. Mal
also knows that users within Acme have the www.feedback.acme site listed as a
trusted site, while his site www.malicious.com is an untrusted site.
To
implement the attack, Mal places a hyperlink on his site labeled "Free
Beer, Click Here!" (or whatever) and codes it to submit data to the Web
page that processes input from www.feedback.acme/form.htm. In the feedback
field, he enters the message "Thanks for everything."
When the user clicks the
"Free Beer, Click Here!" link, he or she unintentionally submits the
form to the trusted site, resulting in their browser displaying a message
thanking them for their input. However, when the browser encounters the portion
of the page between the tags, it executes it as Web scripting code.
Now,
you may ask what benefit lies in redirecting users from Mal's site to Acme's
site. This lies in the trust relationship. True, Mal could simply place the
script on his own site and bypass the cross-site part of the scenario. However,
in this case, Mal's code would be handled by the browser's rules regarding
untrusted sites. By using cross-site scripting, he effectively hijacks the
trust relationship between Acme users and Acme intranet sites and forces the
execution of his code according to the browser's rules for trusted sites.
Unfortunately,
there is no simple fix for the cross-site scripting vulnerability. Web
developers must be careful to filter out the tags and any other sensitive HTML
elements from processed data before redisplaying it in the user's browser. As
with many Web security issues, vigilant programming by security-conscious
developers is the best solution.
How do you protect websites against cross-site scripting attacks :
Web developers can implement filtering code for all user input to remove potentially noxious characters, or convert them to something that a browser will not run (for example, > and < can be converted to > and < respectively. CodeIgniter includes free PHP filtering code to prevent XSS and other kinds of attacks. Use the xss_clean() method as shown below.
$data = $this->security->xss_clean($data);
You should use this function only when you are submitting data. The optional second Boolean parameter can also be used to check image file for XSS attack. This is useful for file upload facility. If its value is true, means image is safe and not otherwise.
Web users can protect against XSS attacks by disabling scripting in their browser, but this causes many websites to not function at all, or have severely limited use. Users can also configure a trusted zone in their browser to allow scripts only from sites they know are very unlikely to have XSS flaws. But, implementing such a solution is difficult. Also, avoid clicking on links in emails, newsgroup postings and third-party sites. Instead, only login to such sites directly, by typing their URL right in your browser or surfing there from a short cut. Although it's a good defensive principle, even that approach can be cumbersome. In the end, users typically depend on trusting that the websites they access will filter user input.
Chears :)
Happy Coding guys..