Skip to main content

How to prevent Cross Site Scripting ( XSS ) attack using .htaccess file and PHP

XSS attack prevention using .htaccess file and PHP.


Cross Site Scripting of XSS attack is a type of Cyber attack in which hacker is able to include malicious JS or iframe codes into the webpages by expoiting the vulberabilities in the web page url. If successful, the hacker can manipulate or steal cookies, create requests which appear to come from a valid user, compromise confidential information, or execute malicious code on end user systems. Hacker can include JS or iframe codes as parameters of Query string variable. if the REQUEST variables are not validated and if it is printed on the page as such, then the page content will contain the malicious script embeded in that. The effect of XSS attack may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the affected site.
A solution for this is adding the following lines into the .htaccess file in the root.


#Enabling RewriteEngine
RewriteEngine On


#loading mod_rewrite module of apache
<IfModule mod_rewrite.c>
#ADDED TO PASS SECURITY METRICS XSS CROSS SITE SCRIPTING ERRORS
# if xss code is passed as parameters to the query string , redirecting it to a custom page showing forbidden message
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ /Your_custom_page_to_display [R=301,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

#END OF XSS FIX
RewriteRule .*(\<|%3C).*script.*(\>|%3E).* /Your_custom_page_to_display [L,R=301,NC]

</IfModule>

You may read XSS Attacks: Cross Site Scripting Exploits and Defense to have more details about various types of XSS attacks and solutions for handling it. You can also validate the $_GET parameters to check for any scope of XSS attack, Check $_GET parameter validation for XSS attack for a PHP code wise solution.

Labels:

Popular posts from this blog

How to delete videos from your Youtube Watch History list?

How to Delete Individual or all videos from your Youtube Watch History list? Youtube keeps a fine record of the videos that you had watched earlier. You can view this by visiting the History section. If you want to remove the video's from the list do the following: Logon to Youtube and click on the "History" tab on the left menu to view Watch History ( Read more ) There will be check boxes corresponding to each video in the list Tick the check boxes of the videos which you want to remove Click on " Remove " button to delete the videos.
Read more

ICICI prudential Customer portal updated - Option to change password is missing - Know how to change your ICICI prudential password

Recently I received an SMS from ICICI prudential asking for login to their website's customer portal using the phone number as user Id and an autogenerated one time password given in the message as password. The SMS messsage was like this. Dear ***Cust Name*** login to your policy(ies) on www.iciciprulife.com with your user id as **mobile number*** and One time use password as ***password***
Read more

What are the Income Tax Rates for Indian citizens for Financial Year 2017-2018?

Income Tax Slab and Rates given below are for Indian citizens of age less than 60. This rates are applicable for the Financial Year 2017-2018 Income Tax Slab Rates Financial Year 2017-2018 Assessment Year 2018-19 Income Tax Slab Rates SLAB 1 Individuals whose total income not exceeding Rs. 2,50,000 ( 2.5 lakhs ) They are exempted from paying income tax.
Read more


Urgent Openings for PHP trainees, Andriod / IOS developers and PHP developers in Kochi Trivandrum Calicut and Bangalore. Please Send Your updated resumes to recruit.vo@gmail.com   Read more »
Member
Search This Blog