category: xss

Something about XSS(Cross-site scripting)

on 2015-11-01

Something about XSS(Cross-site scripting)

If not set anything

Use like

<?php echo $_GET['name'];?>

and querystring name = <script>alert(document.cookie)</script>

And not defence XSS

In Firefox

螢幕快照 2015-11-01 下午8.40.08.png

In Chrome

螢幕快照 2015-11-01 下午8.42.45.png

In Safari

螢幕快照 2015-11-01 下午8.43.16.png

Result

Chrome & Safari browser has handle XSS default

Defence

Set header X-XSS-Protection: 1

if use PHP, can use

htmlspecialchars()
// or
 htmlentities()

Important!

Finally

We must know it is handle encode to avoid run JavaScript on page

JavaScript ver htmlspecialchars

Refer - XSS攻擊的深入探討與防護之道

Read more