Threaded Mode | Linear Mode

Rick · 02-16-2009, 10:10 AM

Anyone know what XSS is? Cross site scripting is a method used when a user injects a line of Javascript into a URL, then sending the URL to someone.
It involves a fair amount of social engineering, so most programmers overlook it.
I, for one, usually don't worry about XSS as it is a lot of work to remove all exploits. I teach all my users to look out for XSS, but other than that I don't worry about it.

inet411.com · 02-16-2009, 08:25 PM

Here is an xss cheat sheet.

Code:

http: // ha.ckers.org / xss.html

I ran all the tests on my site and a few went through so I made some changes now none of the tests worked.
What I had was:

PHP Code:

$whatever = $_GET['whatever'];
echo $whatever; 

That was bad...

Now I put in:

PHP Code:

$whatever = htmlentities(strip_tags($_GET['whatever']));
echo $whatever; 

That worked great!

So I striped all the tags from the GET var then converted the string to htmlentities - ie < becomes < etc...
Seems to have worked. I'm sure there are ways around my little one xss prevention but it did work for all the tests listed at that sheet

Rick · 02-17-2009, 08:09 AM

That's a great resource, thanks for sharing.
My site runs mostly on MyBB though. I'm not sure if there is XSS, I will run the tests and see if anything is exploitable.

Labrocca · 02-17-2009, 06:43 PM

Mybb has some functions to avoid XSS attacks. However few plugin authors really bother using it properly.

AlecGar · 02-17-2009, 08:10 PM

Its never a good idea to start looking over security holes. Althought XSS is small security risk. XSS can be used for more then the clasic cookie stealing. there is now somthing called XSS tunneling look it up, its neat.

Rick · 02-18-2009, 07:38 AM

XSS can't really harm the server/website itself though, right?
I have always thought of it as more of a client-side thing, since it basically just affects the victim's machine/data.

stefanov · 03-04-2009, 08:55 PM

Well it cannot actualy harm website , but if ti menage to get user (admin) info from a forum , then the hacker can do anything to a forum.
And its very easy to do so , for exemple using XSS to steal cookies from other user , best way would be sending prased links or imagemaping such a link.

.mike · 03-10-2009, 07:25 PM

Can't Cross Site Scripting be pretty harmless at times at the hands of a newbie to such things? Like, I know of some pretty nifty injection scripts that are only client-sided and won't do much to the site as a whole. Is MyBB safe from such things? Like, is the forum software, by itself, pretty safe from attacks?

O-D-M · 03-13-2009, 03:54 PM

Yes, I hope atleast. Sometimes I see websites where you just can inject the textfield. Takes it so much time to do a htmlentities in PHP? A noob online can make an alert but a better hacker can inject your site and make cookie stealers like stefanov already said. It's a good reason to avoid XSS.

stefanov · 03-16-2009, 05:53 PM

(03-13-2009 03:54 PM)O-D-M Wrote: Yes, I hope atleast. Sometimes I see websites where you just can inject the textfield. Takes it so much time to do a htmlentities in PHP? A noob online can make an alert but a better hacker can inject your site and make cookie stealers like stefanov already said. It's a good reason to avoid XSS.

What do you mean to "avoid" , you cant realy avoid it , best thing you could do is to care not to click on anything that seems suspicious.