Cross-site Scripting (XSS) and ways to prevent it in PHP applications
Web application security is a key component of any web-based application.
Due to security flaws in web browsers, XSS was first known as cross-site. If you had the windows for both sites active in your browser, you could use XSS to move information/data from one site to the other.
In this post, I will walk you through the details about the XSS and how you can prevent XSS attacks on your PHP web app.
Cross-Site Scripting (XSS)
What is XSS?
It is the unintended execution of remote code by a web client. An attacker can use XSS to send a malicious script to an unsuspecting user.
Any web application might expose itself to XSS if it takes input from a user and outputs it directly on a web page. How do XSS Occur
XSS is typically added using a web form or hyperlink on a webpage. Any client-side language, including JavaScript, PHP, HTML, and VBScript, can use this code. Data inputs coming from a client should never be trusted. GET, POST, and COOKIE values can be anything at all, and should therefore be validated before outputting them.
PHP provides a few ways to do this.
1️⃣HTML Encoding:
PHP htmlspecialchars function will convert any HTML special characters into their HTML encodings, meaning they will then not be processed as standard HTML
SYNTHAX
// GET $input = htmlspecialchars($_GET['input']); // POST $input = htmlspecialchars($_POST['input']) ?> 2️⃣URL Encoding:
When outputting a dynamically generated URL, PHP provides the urlencode function to safely output validated or sanitized URLs.
SYNTHAX
$input = urlencode($_GET['input']); ?> 3️⃣THIRD PARTY PHP LIBRARIES:
There are several third party PHP libraries which are commonly used to assist in XSS prevention.
Examples👇
HTML Purifier – here
PHP Anti-XSS – here
htmLawed – here
🗝Using PHP Filter Functions.
Note✍
The PHP STRIP_TAGS() should NOT be used exclusively for sanitizing data. strip_tags() removes content between HTML tags and cannot prevent XSS instances that exist within HTML entity attributes. strip_tags() also does not filter or encode non-paired closing angle brackets.
Conclusion
Cross-Site Scripting is a versatile attack. It could be used to steal highly sensitive data, including user credentials, cookies, and data that has economic value. What other ways can we prevent XSS. Kindly Share your ideas in the comments below👇 You can support me to keep writing more for you🚀❤
Hiding PHP
In general, security by obscurity is one of the weakest forms of security. But in some cases, every little bit of extra security is desirable.
A few simple techniques can help to hide PHP , possibly slowing down an attacker who is attempting to discover weaknesses in your system. By setting expose_php to off in your php.ini file, you reduce the amount of information available to them.
Another tactic is to configure web servers such as apache to parse different filetypes through PHP , either with an .htaccess directive, or in the apache configuration file itself. You can then use misleading file extensions:
Example #1 Hiding PHP as another language
# Make PHP code look like other code types AddType application/x-httpd-php .asp .py .pl
Example #2 Using unknown types for PHP extensions
# Make PHP code look like unknown types AddType application/x-httpd-php .bop .foo .133t
Or hide it as HTML code, which has a slight performance hit because all HTML will be parsed through the PHP engine:
Example #3 Using HTML types for PHP extensions
# Make all PHP code look like HTML AddType application/x-httpd-php .htm .html
For this to work effectively, you must rename your PHP files with the above extensions. While it is a form of security through obscurity, it’s a minor preventative measure with few drawbacks.
User Contributed Notes 26 notes
So far I haven’t seen a working rewriter of /foo/bar into /foo/bar.php, so I created my own. It does work in top-level directory AND subdirectories and it doesn’t need hardcoding the RewriteBase.
# Rewrite /foo/bar to /foo/bar.php
RewriteRule ^([^.?]+)$ %.php [L]
# Return 404 if original request is /foo/bar.php
RewriteCond % «^[^ ]* .*?\.php[? ].*$»
RewriteRule .* — [L,R=404]
# NOTE! FOR APACHE ON WINDOWS: Add [NC] to RewriteCond like this:
# RewriteCond % «^[^ ]* .*?\.php[? ].*$» [NC]
The session name defaults to PHPSESSID. This is used as the name of the session cookie that is sent to the user’s web browser / client. (Example: PHPSESSID=kqjqper294faui343o98ts8k77).
To hide this, call session_name() with the $name parameter set to a generic name, before calling session_start(). Example:
Set INI directive «expose_php» to «off» will also help.
You can spoof your PHP to ASP.NET by using:
error_reporting ( 0 );
header ( «X-Powered-By: ASP.NET» );
?>
adding MultiViews to your apache Options config
lets you hide/omit .php in the url without any rewriting, etc.
You can see if somebody’s using PHP just by adding the following to the end of the URL:
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
If the page is using PHP, this will show the PHP credits.
Setting expose_php to Off in php.ini prevents this.
The idea of hiding the X-Powered-By in PHP is a flawed attempt at establishing security. As the manual indicates, obscurity is not security. If I were exploiting a site, I wouldn’t check what scripting language the site runs on, because all that would matter to me is exploiting it. Hiding the fact that you use [x] language isn’t going to prevent me from bypassing poor security.
To hide PHP, you need following php.ini settings
ServerSignature Off
(min works, but I prefer off)
I think the best way to hide PHP on Apache and Apache itself is this:
httpd.conf
————-
# .
# Minimize ‘Server’ header information
ServerTokens Prod
# Disable server signature on server generated pages
ServerSignature Off
# .
# Set default file type to PHP
DefaultType application/x-httpd-php
# .
Now hacker knows only that you are using Apache.
In response to the previous messages, for apache, there is a easier way to set files without «.» to be executed by PHP, just put this in a «.htaccess» file :
It’s a good idea to «hide» PHP anyway so you can write a RESTful web application.
RewriteEngine On
RewriteRule ^control/([^/]+)/(.*)$ sitecontroller.php?control=$1&query=$2
You then use a function like the following as a way to retrieve data (in a zero indexed fashion) from the $_GET superglobal.
function myGET () $aGet = array();
if(isset( $_GET [ ‘query’ ])) $aGet = explode ( ‘/’ , $_GET [ ‘query’ ]);
>
return $aGet ;
>
?>
This is only a really basic example of course — you can do a lot with Mod Rewrite and a custom ‘GET’ function.
# Redirect external .php requests to extensionless url
RewriteCond % ^(.+)\.php([#?][^\ ]*)?\ HTTP/
RewriteRule ^(.+)\.php$ http://example.com/folder/$1 [R=301,L]
# Resolve .php file for extensionless php urls
RewriteRule ^([^/.]+)$ $1.php [L]
PS. If you want to use pretty URLs (i.e. hide your .php extensions) AND you have safe-mode=on, the previous example (ForceType) won’t work for you. The problem is that safe-mode forces Apache to honor trailing characters in a requested URL. This means that:
would still be processed by the home script in our doc root, but for:
apache would actually look for the /home/contact_us.html file in our doc root.
The best solution I’ve found is to set up a virtual host (which I do for everything, even the default doc root) and override the trailing characters handling within the virtual host. So, for a virtual host listening on port 8080, the apache directives would look like this:
DocumentRoot /web/doc_root
Alias /home «/web/doc_root/home.php»
AcceptPathInfo On
Some people might question why we are overriding the trailing characters handling (with the AcceptPathInfo directive) instead of just turning safe-mode=off. The reason is that safe mode sets global limitations on the entire server, which can then be turned on or left off for each specific virtual host. This is the equivilent of blocking all connections on a firewall, and then opening up only the ones you want, which is a lot safer than leaving everything open globally, and assuming your programmers will never overlook a possible security hole.
Как скрыть элемент на странице
Добрый вечер!
Реально ли скриптом или ещё каким то методом по условию скрыть блок страницы?
Например на сайте есть кнопка или чекбокс, по нажатию будет срабатывать включение/отключения элемента страницы.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89
var snowsrc="../images/snow.png"; var no = 20; var log = 0; var hidesnowtime = 0; var snowdistance = "windowheight"; var ie4up = (document.all) ? 1 : 0; var ns6up = (document.getElementById&&!document.all) ? 1 : 0; function iecompattest(){ return (document.compatMode && document.compatMode!="BackCompat")? document.documentElement : document.body } var dx, xp, yp; var am, stx, sty; var i, doc_width = 800, doc_height = 600; if (ns6up) { doc_width = self.innerWidth; doc_height = self.innerHeight; } else if (ie4up) { doc_width = iecompattest().clientWidth; doc_height = iecompattest().clientHeight; } dx = new Array(); xp = new Array(); yp = new Array(); am = new Array(); stx = new Array(); sty = new Array(); snowsrc=(snowsrc.indexOf("../images/")!= 1)? "../images/snow.png" : snowsrc for (i = 0; i no; ++ i) else { document.write("\"dot"+ i +"\" style=\"POSITION: fixed; Z-INDEX: "+ i +"; VISIBILITY: visible; TOP: 15px; LEFT: 15px;\">\"0\">\/div>"); } } } function snowIE_NS6() { doc_width = ns6up?window.innerWidth-10 : iecompattest().clientWidth-10; doc_height=(window.innerHeight && snowdistance=="windowheight")? window.innerHeight : (ie4up && snowdistance=="windowheight")? iecompattest().clientHeight : (ie4up && !window.opera && snowdistance=="pageheight")? iecompattest().scrollHeight : iecompattest().offsetHeight; for (i = 0; i no; ++ i) { yp[i] += sty[i]; if (yp[i] > doc_height-50) { xp[i] = Math.random()*(doc_width-am[i]-30); yp[i] = 0; stx[i] = 0.02 + Math.random()/10; sty[i] = 0.7 + Math.random(); } dx[i] += stx[i]; document.getElementById("dot"+i).style.top=yp[i]+"px"; document.getElementById("dot"+i).style.left=xp[i] + am[i]*Math.sin(dx[i])+"px"; } snowtimer=setTimeout("snowIE_NS6()", 10); } function hidesnow(){ if (window.snowtimer) clearTimeout(snowtimer) for (i=0; ino; i++) document.getElementById("dot"+i).style.visibility="hidden"; } if (ie4up||ns6up){ snowIE_NS6(); if (hidesnowtime>0) setTimeout("hidesnow()", hidesnowtime*1000); } function stopsnow(){ if (log==0){ for (i=0; ino; i++) document.getElementById("dot"+i).style.visibility="hidden"; no = 0; log = 1; document.getElementById('snow-start').innerHTML ='Вкл. снег'; } else { log = 0; no = 20; for (i=0; ino; i++) document.getElementById("dot"+i).style.visibility="visible"; document.getElementById('snow-start').innerHTML ='Выкл. снег'; } }