Accelerated Security Course - Episode 3: XSS
This article was written by Damien Metzger, and first published on the PrestaShop blog, on September 28th, 2011.
It would be wrong to assume that you need to access a website’s code to be able to hack into it. In fact, even at the HTML display level, you need to protect all data that appears.
You just need to enter the following character chain as a keyword:
A "kikoo" alert will appear on the page.
How can you protect yourself?
This is not very complicated: everything that appears in your HTML pages must be protected with a function like
htmlentities(). In some cases you may also use additional functions such as
strip_tags() which removes all HTML tags from a character chain, or a simple
The real difficulty is therefore not protecting yourself, but remembering to do so. The main reasons for forgetting this are:
- The amount of variables involved. An enormous amount of variables are displayed to users, and all it takes is a "well-placed" one to enable hackers to exploit an XSS flaw.
In the same vein, when you are designing the website you need to think about when you are going to protect these variables. Directly in the template to get it done early on? This is rather ineffective and inefficient. In the checkers? It’s easy to forget to check them all. In the view? If you consider that security is a developer’s job, then maybe. And of course, doing it at several levels is out of the question, as you cannot accumulate these protection functions or you will end up with an illegible result. There is no quick fix for this issue: each page must be systematically checked as everyone is involved in this.
- The type of variables involved. XSS does not only affect POST or GET data! For example it is very easy to forge a referrer to exploit an unprotected "previous" button. Your database is perhaps not as secure as you think: security can be compromised by a deliberate attack, or because you have accidentally used interpreted characters (this won’t be an XSS but the display will be broken).
In short: no data must be left out, as no data is completely reliable.