First let me honestly accept that i am still confused about the meaning of CSRF and XSS Attacks.
Little do i understand about it.
So what exact measures can be taken to prevent these attacks ?
References and code are also appreciated.
Thanks
Uday
Preventing CSRF and XSS Attacks?
Moderator: General Moderators
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Preventing CSRF and XSS Attacks?
These are both kind of broad topics, there isn't a silver bullet that will protect you. A good resource would be OWASP's Top 10, both XSS and CSRF made the list. Here is a link that you can explore, which contains information on what each topic is, the thought process behind it, how to combat it, and more references.
https://www.owasp.org/index.php/Top_10_2010-Main
https://www.owasp.org/index.php/Top_10_2010-Main
Re: Preventing CSRF and XSS Attacks?
@flying_circus: Thanks i will take a look.
Re: Preventing CSRF and XSS Attacks?
I disagree, there *is* a silver bullet, and it's fairly simple. If you want to fully understand it, there's more than that under the surface, but the solution is relatively straightforward:
1. Against XSS:
1.1. Escape output
$var = htmlspecialchars($var, ENT_QUOTES, <your CORRECT encoding>);
echo $var; //no injection possible
1.2. Don't allow text/html uploads (in your image upload scripts for example)
2. Against CSRF
2.1. Critical form actions should have hidden random token fields (there are tons of tutorials for this)
2.2. Do not allow XSS
-----
There are attacks that can theoretically go through these measures, but they are out of your application layer, so there's hardly anything you can do: browser defects, plugin defects, weak passwords ...
1. Against XSS:
1.1. Escape output
$var = htmlspecialchars($var, ENT_QUOTES, <your CORRECT encoding>);
echo $var; //no injection possible
1.2. Don't allow text/html uploads (in your image upload scripts for example)
2. Against CSRF
2.1. Critical form actions should have hidden random token fields (there are tons of tutorials for this)
2.2. Do not allow XSS
-----
There are attacks that can theoretically go through these measures, but they are out of your application layer, so there's hardly anything you can do: browser defects, plugin defects, weak passwords ...
Re: Preventing CSRF and XSS Attacks?
Ok i got you Mordred !
but there was one case i came across that site was hacked using upload like userimg.php.jpg.
How can you scan this type of file, or prevent this from happening.
but there was one case i came across that site was hacked using upload like userimg.php.jpg.
How can you scan this type of file, or prevent this from happening.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Preventing CSRF and XSS Attacks?
There are quite a few things you can do; uploading files outside the webroot so they cannot be executed via the browser, changing file names, checking MIME types and only allowing certain types (although that doesn't completely safeguard you).uday8486 wrote:How can you scan this type of file, or prevent this from happening.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: Preventing CSRF and XSS Attacks?
@social_experiment: Thanks May be these are very good suggestion to get a secured site.