An XSS attack is one of the top most tried out attacks on a PHP enabled system and your PHP script may not be immune.
Sadly , many developers fails to deliver a secure code thus open to attacks.Every programmer should consider such attacks and vulnerabilities and try to make the program or script free from getting attacked.
Let me give you an example which will explain you how does such attacks happen.
Below is an index.php page with the following code.
<form method="post" action="save.php"> <input type = "text" name = "name"> <input type="submit" name="submit" value="Save"> </form>
In the above html code there is a simple form with a textbox and submit button.On click of the button the form is submitted to save.php for further processing.
A genuine user will fillup his/her name but an attacker can inject code instead of name.
Suppose on save.php just prints out the name.
Suppose instead of writing a plane name the attacker inputs <script>alert(‘HaHa You are attacked!!’);</script>.
If the scripts are not filtered the user will see the popup with message “HaHa You are attacked!! “.
Types of XSS Attacks
- Non-Persistent : The kind of attack shown in the above example falls under this category.It means attacks in which the code is not actually stored on the server but is rather presented to the user.
- Persistent : This attack is more dangerous one in which the code is actually injected into server.
Hopefully this article gave you a good explanation of what cross-site scripting attacks are.Never trust data coming from the user or from any other third party sources.In my next post I’ll explain how these attacks can be prevented.