Skip to main content

How to prevent Cross Site Scripting ( XSS ) attack using .htaccess file and PHP

XSS attack prevention using .htaccess file and PHP.


Cross Site Scripting of XSS attack is a type of Cyber attack in which hacker is able to include malicious JS or iframe codes into the webpages by expoiting the vulberabilities in the web page url. If successful, the hacker can manipulate or steal cookies, create requests which appear to come from a valid user, compromise confidential information, or execute malicious code on end user systems. Hacker can include JS or iframe codes as parameters of Query string variable. if the REQUEST variables are not validated and if it is printed on the page as such, then the page content will contain the malicious script embeded in that. The effect of XSS attack may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the affected site.
A solution for this is adding the following lines into the .htaccess file in the root.


#Enabling RewriteEngine
RewriteEngine On


#loading mod_rewrite module of apache
<IfModule mod_rewrite.c>
#ADDED TO PASS SECURITY METRICS XSS CROSS SITE SCRIPTING ERRORS
# if xss code is passed as parameters to the query string , redirecting it to a custom page showing forbidden message
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ /Your_custom_page_to_display [R=301,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

#END OF XSS FIX
RewriteRule .*(\<|%3C).*script.*(\>|%3E).* /Your_custom_page_to_display [L,R=301,NC]

</IfModule>

You may read XSS Attacks: Cross Site Scripting Exploits and Defense to have more details about various types of XSS attacks and solutions for handling it. You can also validate the $_GET parameters to check for any scope of XSS attack, Check $_GET parameter validation for XSS attack for a PHP code wise solution.

Labels:

Popular posts from this blog

How to delete videos from your Youtube Watch History list?

How to Delete Individual or all videos from your Youtube Watch History list? Youtube keeps a fine record of the videos that you had watched earlier. You can view this by visiting the History section. If you want to remove the video's from the list do the following: Logon to Youtube and click on the "History" tab on the left menu to view Watch History ( Read more ) There will be check boxes corresponding to each video in the list Tick the check boxes of the videos which you want to remove Click on " Remove " button to delete the videos.
Read more

How to add "Link to this page" option under blogger posts?

Steps in adding Link to this page to your blogger posts Links to your page can improve your page rank. So it is a good option to add HTML code for linking to your web page. So that reader can copy and paste it on their web page. if another website links to your web page, this is considered an external link to your website. External links to your website are the most important source of ranking power and in SEO terminology it is considered as third party ranking vote for your page.
Read more

Intex Aqua 5.5 VR Plus genuine Review - Dont Buy Intex Aqua 5.5 VR Plus - Board complaint and low battery backup issues

Intex Aqua 5.5 VR Plus  Review - Dont Buy Intex Aqua 5.5 VR + - Board complaint and low battery backup issues I bought an Intex Aqua 5.5 VR Plus on April 23, 2018, With in a week it started to show Battery backup issues. Even if it is charged full, it will completely drain out with in 12 or 13 hours. During this time No internet was used, only 2 or 3 calls were done. Some times there was issues with net connection also.
Read more


Urgent Openings for PHP trainees, Andriod / IOS developers and PHP developers in Kochi Trivandrum Calicut and Bangalore. Please Send Your updated resumes to recruit.vo@gmail.com   Read more »
Member
Search This Blog