XSS (cross site scripting)
The article "Ensuring a website safety" is provided by Sophos Plc and SophosLabs.
This type of attacks aimed at the sites that display the data input by the user. Instead of trying to gain control over the database by entering malicious code, an attacker tries aims at the code of the site itself, inserting malicious segments into it.
Consider the following PHP code:
$firstname = $_POST["firstname"]; echo "Your name: $firstname";
After the username is entered in the web form, the site displays a corresponding message on the page. If you enter “Chris”, the message will look like this: “Your name: Chris”.
What if you enter the following structure instead of a name: “ <script> alert ( ‘ You just got hacked! ’ ) ; </ script> ” ?
Unfortunately, XSS attacks are often difficult to prevent. You have to filter input and output data, as well as all fields that can be changed by users. This includes data received from GET and POST requests, as well as queries returned from the database.
A number of PHP packages help filter the output, for example, CodeIgniter . Also, PHP has a built-in htmlspecialchars function which can be used to filter the output data.