Skip to main content

How to prevent Cross Site Scripting ( XSS ) attack using .htaccess file and PHP

XSS attack prevention using .htaccess file and PHP.


Cross Site Scripting of XSS attack is a type of Cyber attack in which hacker is able to include malicious JS or iframe codes into the webpages by expoiting the vulberabilities in the web page url. If successful, the hacker can manipulate or steal cookies, create requests which appear to come from a valid user, compromise confidential information, or execute malicious code on end user systems. Hacker can include JS or iframe codes as parameters of Query string variable. if the REQUEST variables are not validated and if it is printed on the page as such, then the page content will contain the malicious script embeded in that. The effect of XSS attack may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the affected site.
A solution for this is adding the following lines into the .htaccess file in the root.


#Enabling RewriteEngine
RewriteEngine On


#loading mod_rewrite module of apache
<IfModule mod_rewrite.c>
#ADDED TO PASS SECURITY METRICS XSS CROSS SITE SCRIPTING ERRORS
# if xss code is passed as parameters to the query string , redirecting it to a custom page showing forbidden message
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ /Your_custom_page_to_display [R=301,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

#END OF XSS FIX
RewriteRule .*(\<|%3C).*script.*(\>|%3E).* /Your_custom_page_to_display [L,R=301,NC]

</IfModule>

You may read XSS Attacks: Cross Site Scripting Exploits and Defense to have more details about various types of XSS attacks and solutions for handling it. You can also validate the $_GET parameters to check for any scope of XSS attack, Check $_GET parameter validation for XSS attack for a PHP code wise solution.

Labels:

Popular posts from this blog

Deep-sea Anglerfish Black Seadevil Scary looking creature Video

Deep-sea Anglerfish are the strange and elusive creature that are very rarely observed in their natural habitat. Fewer than half a dozen have ever been captured on film or video by deep-diving research vehicles.They are mostly  found in tropical to temperate waters of the Indian,Pacific and Atlantic Oceans.
Read more

How to use WiFi adapter on Ubuntu 16.04 desktop PC - Realtek RTL8188EUS 802.11n Wireless USB Network Adapter Driver installation

Installation of Realtek RTL8188EUS 802.11n Wireless USB Network Adapter on Desktop PC having Ubuntu 16.04 OS My PC is running in Ubuntu 16.04 OS, recently I thought of using a dongle wife adapter to access our home's Wifi network. For this I used Realtek RTL8188EUS 802.11n Wireless USB Network Adapter ( Model No: OT-WUA950NM ) This small device cost around Rupees 250/- to Rs 300/- in India. I did the following steps for installation of this Realtek Nano Wifi Adapter: Plug Realtek RTL8188EUS 802.11n Wireless USB Network Adapter to your PC's USB port, Take the terminal application and run the command "lsusb" to list the plugged in usb devices: Myhome:~$ lsusb Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 001 Device 003: ID 0bda:8179 Realtek Semiconductor Corp. R...
Post a Comment
Read more

Cheap Tourist boat service in Alapuzha - Enjoy the beauty of Aleppey Back waters using govt owned Tourist boat services

Feasible Tourist boat services in Alapuzha Aleppey / Alappuzha is one of the beautiful places in kerala. Aleppey district is famous for it amazing backwaters , you can enjoy house boat rides here. Kerala State Water transport department  (Kerala SWTD) provides facilities for tourists to enjoy the beauty of backwater by paying much less charge when compared to private boat services. There are boat services from Aleppey boat station which takes tourists to inner parts of the backwaters.
Read more


Urgent Openings for PHP trainees, Andriod / IOS developers and PHP developers in Kochi Trivandrum Calicut and Bangalore. Please Send Your updated resumes to recruit.vo@gmail.com   Read more »
Member
Search This Blog