Preventing CSRF and XSS Attacks?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
uday8486
Forum Newbie
Posts: 22
Joined: Fri Oct 28, 2011 11:42 pm
Location: Pune, India

Preventing CSRF and XSS Attacks?

Post by uday8486 »

First let me honestly accept that i am still confused about the meaning of CSRF and XSS Attacks.

Little do i understand about it.

So what exact measures can be taken to prevent these attacks ?

References and code are also appreciated.

Thanks
Uday
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Preventing CSRF and XSS Attacks?

Post by flying_circus »

These are both kind of broad topics, there isn't a silver bullet that will protect you. A good resource would be OWASP's Top 10, both XSS and CSRF made the list. Here is a link that you can explore, which contains information on what each topic is, the thought process behind it, how to combat it, and more references.

https://www.owasp.org/index.php/Top_10_2010-Main
uday8486
Forum Newbie
Posts: 22
Joined: Fri Oct 28, 2011 11:42 pm
Location: Pune, India

Re: Preventing CSRF and XSS Attacks?

Post by uday8486 »

@flying_circus: Thanks i will take a look.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Preventing CSRF and XSS Attacks?

Post by Mordred »

I disagree, there *is* a silver bullet, and it's fairly simple. If you want to fully understand it, there's more than that under the surface, but the solution is relatively straightforward:

1. Against XSS:

1.1. Escape output
$var = htmlspecialchars($var, ENT_QUOTES, <your CORRECT encoding>);
echo $var; //no injection possible
1.2. Don't allow text/html uploads (in your image upload scripts for example)

2. Against CSRF

2.1. Critical form actions should have hidden random token fields (there are tons of tutorials for this)
2.2. Do not allow XSS

-----

There are attacks that can theoretically go through these measures, but they are out of your application layer, so there's hardly anything you can do: browser defects, plugin defects, weak passwords ...
uday8486
Forum Newbie
Posts: 22
Joined: Fri Oct 28, 2011 11:42 pm
Location: Pune, India

Re: Preventing CSRF and XSS Attacks?

Post by uday8486 »

Ok i got you Mordred !
but there was one case i came across that site was hacked using upload like userimg.php.jpg.

How can you scan this type of file, or prevent this from happening.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Preventing CSRF and XSS Attacks?

Post by social_experiment »

uday8486 wrote:How can you scan this type of file, or prevent this from happening.
There are quite a few things you can do; uploading files outside the webroot so they cannot be executed via the browser, changing file names, checking MIME types and only allowing certain types (although that doesn't completely safeguard you).
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
uday8486
Forum Newbie
Posts: 22
Joined: Fri Oct 28, 2011 11:42 pm
Location: Pune, India

Re: Preventing CSRF and XSS Attacks?

Post by uday8486 »

@social_experiment: Thanks May be these are very good suggestion to get a secured site.
Post Reply