Technique
- • Attacker inputs JS code on our page
- • Usually through HTML forms (discussion, registration, search)
- • Also URL, RSS rolls, e-mails, ...
- • Not only JS - also design is important
Risks
- • Stealing session data
- • Altering page design
- • HTML invalidity
Defense
- • Escape all untrusted data, better on output
- • Usage by other applications
- • Input from other applications
- • Trimming caused by longer escaped data
- • Don't use strip_tags()
- • May want to write tags literally
- • It's strange to use entities
- • With two parameters - style and JS events
- • Use htmlspecialchars() or templates
Escaping priority
- • Data displayed to other users (security)
- • Data displayed to user himself (usability)
- • Our own trusted data (phishing)
Tasks
- • Write a PHP script to steal sessions
- • Steal sessions on unsecured site
- • Steal sessions on site protected with strip_tags()
