PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sat Oct 19, 2019 11:44 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Fri Oct 28, 2011 11:53 pm 
Offline
Forum Newbie

Joined: Fri Oct 28, 2011 11:42 pm
Posts: 22
Location: Pune, India
First let me honestly accept that i am still confused about the meaning of CSRF and XSS Attacks.

Little do i understand about it.

So what exact measures can be taken to prevent these attacks ?

References and code are also appreciated.

Thanks
Uday


Top
 Profile  
 
PostPosted: Sat Oct 29, 2011 12:16 am 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR
These are both kind of broad topics, there isn't a silver bullet that will protect you. A good resource would be OWASP's Top 10, both XSS and CSRF made the list. Here is a link that you can explore, which contains information on what each topic is, the thought process behind it, how to combat it, and more references.

https://www.owasp.org/index.php/Top_10_2010-Main


Top
 Profile  
 
PostPosted: Sat Oct 29, 2011 8:28 am 
Offline
Forum Newbie

Joined: Fri Oct 28, 2011 11:42 pm
Posts: 22
Location: Pune, India
@flying_circus: Thanks i will take a look.


Top
 Profile  
 
PostPosted: Mon Oct 31, 2011 2:36 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
I disagree, there *is* a silver bullet, and it's fairly simple. If you want to fully understand it, there's more than that under the surface, but the solution is relatively straightforward:

1. Against XSS:

1.1. Escape output
$var = htmlspecialchars($var, ENT_QUOTES, <your CORRECT encoding>);
echo $var; //no injection possible
1.2. Don't allow text/html uploads (in your image upload scripts for example)

2. Against CSRF

2.1. Critical form actions should have hidden random token fields (there are tons of tutorials for this)
2.2. Do not allow XSS

-----

There are attacks that can theoretically go through these measures, but they are out of your application layer, so there's hardly anything you can do: browser defects, plugin defects, weak passwords ...


Top
 Profile  
 
PostPosted: Mon Oct 31, 2011 6:08 am 
Offline
Forum Newbie

Joined: Fri Oct 28, 2011 11:42 pm
Posts: 22
Location: Pune, India
Ok i got you Mordred !
but there was one case i came across that site was hacked using upload like userimg.php.jpg.

How can you scan this type of file, or prevent this from happening.


Top
 Profile  
 
PostPosted: Mon Oct 31, 2011 6:18 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Mon Oct 31, 2011 6:24 am 
Offline
Forum Newbie

Joined: Fri Oct 28, 2011 11:42 pm
Posts: 22
Location: Pune, India
@social_experiment: Thanks May be these are very good suggestion to get a secured site.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group