XSS, a simple attack, but can ruin your web easily. To perform this attack, simply just type <script>alert('XSS')</script>
at your fictim's comment form. If you find this notification:
Congrats, you found a vulnerable site, and you officially become a bug hunter. XD.
Back to securing the form. There are 3 methods that i know to securing your input form form XSS:
Check the input before add it to the database
Simple one. Check the input if the input not contain something suspicious. If you find it, you can reject the input.
Remove all HTML tags from input
For do this in PHP, you can use strip_tags
. Here is the example:
<?php
$input = '<script src = "http://evil.com/some/evil/source"></script> Some comments';
echo strip_tags($input);
?>
And, here is the result:
Some comments
Sanitaze your input
You can sanitaze the input using a simple replace function. Simply, just replace <
with <
(unicode symbol for <
). If you display <
as the unicode, the XSS syntax will'nt run, and printed as normal string.
Yeah, that's my tips, Do you have any tips that i don't write here, you can add it down in the comment π.
Thanks for read, and bye! π.
Top comments (0)