Skip to main content

How to prevent Cross Site Scripting ( XSS ) attack using .htaccess file and PHP

XSS attack prevention using .htaccess file and PHP.


Cross Site Scripting of XSS attack is a type of Cyber attack in which hacker is able to include malicious JS or iframe codes into the webpages by expoiting the vulberabilities in the web page url. If successful, the hacker can manipulate or steal cookies, create requests which appear to come from a valid user, compromise confidential information, or execute malicious code on end user systems. Hacker can include JS or iframe codes as parameters of Query string variable. if the REQUEST variables are not validated and if it is printed on the page as such, then the page content will contain the malicious script embeded in that. The effect of XSS attack may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the affected site.
A solution for this is adding the following lines into the .htaccess file in the root.


#Enabling RewriteEngine
RewriteEngine On


#loading mod_rewrite module of apache
<IfModule mod_rewrite.c>
#ADDED TO PASS SECURITY METRICS XSS CROSS SITE SCRIPTING ERRORS
# if xss code is passed as parameters to the query string , redirecting it to a custom page showing forbidden message
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ /Your_custom_page_to_display [R=301,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

#END OF XSS FIX
RewriteRule .*(\<|%3C).*script.*(\>|%3E).* /Your_custom_page_to_display [L,R=301,NC]

</IfModule>

You may read XSS Attacks: Cross Site Scripting Exploits and Defense to have more details about various types of XSS attacks and solutions for handling it. You can also validate the $_GET parameters to check for any scope of XSS attack, Check $_GET parameter validation for XSS attack for a PHP code wise solution.

Labels:

Popular posts from this blog

Strange problem occured while trying to create a CSV file using PHP Script - The file is not seen on FTP but can download using file's absolute path url

Strange problem occured while trying to create a CSV file - The file is not seen on FTP but can download using file's absolute path url Last day I came across a strange problem when I tried to create a csv file on therver using a PHP script. the script was simply writing a given content as a csv file. The file will be created runtime. What happened was, The script executed fine, file handler for new file was created and contents was wrote into the file using fwrite and it returned the number of bytes that was written.
Post a Comment
Read more

How to get the Query string of a URL using the Javascript (JS)?

JS function get the Query string of a URL or value of each parameter using the Javascript(JS)? If you want to get your current page's url var my_url=document.location; to get the query string part of the url use like this: var my_qry_str= location.search; this will return the part of the url starting from "?" following by query string Lets assume that your current page url is http://www.crozoom.com/2013/page.html?qry1=A&qry2=B then the location.search function will return " ?qry1=A&qry2=B " to exclue "?", do like this:
Read more


Urgent Openings for PHP trainees, Andriod / IOS developers and PHP developers in Kochi Trivandrum Calicut and Bangalore. Please Send Your updated resumes to recruit.vo@gmail.com   Read more »
Member
Search This Blog