Page 1 of 1

Preventing CSRF and XSS Attacks?

Posted: Fri Oct 28, 2011 11:53 pm
by uday8486
First let me honestly accept that i am still confused about the meaning of CSRF and XSS Attacks.

Little do i understand about it.

So what exact measures can be taken to prevent these attacks ?

References and code are also appreciated.

Thanks
Uday

Re: Preventing CSRF and XSS Attacks?

Posted: Sat Oct 29, 2011 12:16 am
by flying_circus
These are both kind of broad topics, there isn't a silver bullet that will protect you. A good resource would be OWASP's Top 10, both XSS and CSRF made the list. Here is a link that you can explore, which contains information on what each topic is, the thought process behind it, how to combat it, and more references.

https://www.owasp.org/index.php/Top_10_2010-Main

Re: Preventing CSRF and XSS Attacks?

Posted: Sat Oct 29, 2011 8:28 am
by uday8486
@flying_circus: Thanks i will take a look.

Re: Preventing CSRF and XSS Attacks?

Posted: Mon Oct 31, 2011 2:36 am
by Mordred
I disagree, there *is* a silver bullet, and it's fairly simple. If you want to fully understand it, there's more than that under the surface, but the solution is relatively straightforward:

1. Against XSS:

1.1. Escape output
$var = htmlspecialchars($var, ENT_QUOTES, <your CORRECT encoding>);
echo $var; //no injection possible
1.2. Don't allow text/html uploads (in your image upload scripts for example)

2. Against CSRF

2.1. Critical form actions should have hidden random token fields (there are tons of tutorials for this)
2.2. Do not allow XSS

-----

There are attacks that can theoretically go through these measures, but they are out of your application layer, so there's hardly anything you can do: browser defects, plugin defects, weak passwords ...

Re: Preventing CSRF and XSS Attacks?

Posted: Mon Oct 31, 2011 6:08 am
by uday8486
Ok i got you Mordred !
but there was one case i came across that site was hacked using upload like userimg.php.jpg.

How can you scan this type of file, or prevent this from happening.

Re: Preventing CSRF and XSS Attacks?

Posted: Mon Oct 31, 2011 6:18 am
by social_experiment
uday8486 wrote:How can you scan this type of file, or prevent this from happening.
There are quite a few things you can do; uploading files outside the webroot so they cannot be executed via the browser, changing file names, checking MIME types and only allowing certain types (although that doesn't completely safeguard you).

Re: Preventing CSRF and XSS Attacks?

Posted: Mon Oct 31, 2011 6:24 am
by uday8486
@social_experiment: Thanks May be these are very good suggestion to get a secured site.