McAfee XSS Vunerablity and PHP XSS Prevention Review
Posted by hawk under SecurityLet Me Hear Your Thoughts >>
Yes it’s disgusting the people at McAfee have obvious XSS errors on their pages. Here is a bit from readwriteweb,
During tests this weekend, we discovered the company who claims to ‘keep you safe from identity theft, credit card fraud…’ has several cross-site scripting vulnerabilities and provides the bad guys with a brilliant — albeit ironic — launching pad from which to unleash their attacks
As you know we have showed other sites along with wordpress themes with obvious XSS problems. XSS shouldn’t be a problem if you followed the following:
- Dis-allow/Disable all character input to your database
- Open only the inputs that are needed, ie Field First name only needs alpha characters upper and lowercase only.
- Verify validation/filter rule works by using proper tests cases. Ha.ck.ers.org has a great list of tests to run, but obvious idea is try and break your own code
What this does is make it so characters such as > < and other high ascii don’t make it into the html output or worse injected into the database. It’s really as simple as that, prevent people from injecting <script> by only allowing alpha thus it would be “script” without the tag and thus render as characters and not an html tag.
If you must allow tags and dangerous characters contain the ability of that data to get lose.
Don’t just output unfilter/validated data into the html render, code, database etc.
PHP provides a wealth of filters to help, you can go to php.net and lookup string functions or filter extensions, along with pear/pecl libraries or even build modules. Many options just use one.
