Skip to main content

How to prevent Cross Site Scripting ( XSS ) attack using .htaccess file and PHP

XSS attack prevention using .htaccess file and PHP.


Cross Site Scripting of XSS attack is a type of Cyber attack in which hacker is able to include malicious JS or iframe codes into the webpages by expoiting the vulberabilities in the web page url. If successful, the hacker can manipulate or steal cookies, create requests which appear to come from a valid user, compromise confidential information, or execute malicious code on end user systems. Hacker can include JS or iframe codes as parameters of Query string variable. if the REQUEST variables are not validated and if it is printed on the page as such, then the page content will contain the malicious script embeded in that. The effect of XSS attack may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the affected site.
A solution for this is adding the following lines into the .htaccess file in the root.


#Enabling RewriteEngine
RewriteEngine On


#loading mod_rewrite module of apache
<IfModule mod_rewrite.c>
#ADDED TO PASS SECURITY METRICS XSS CROSS SITE SCRIPTING ERRORS
# if xss code is passed as parameters to the query string , redirecting it to a custom page showing forbidden message
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ /Your_custom_page_to_display [R=301,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

#END OF XSS FIX
RewriteRule .*(\<|%3C).*script.*(\>|%3E).* /Your_custom_page_to_display [L,R=301,NC]

</IfModule>

You may read XSS Attacks: Cross Site Scripting Exploits and Defense to have more details about various types of XSS attacks and solutions for handling it. You can also validate the $_GET parameters to check for any scope of XSS attack, Check $_GET parameter validation for XSS attack for a PHP code wise solution.

Popular posts from this blog

Payback Points - How to redeem - How to merge multiple payback accounts - Block Payback card - Payback customer care

Your SBI Debit card ending with XX0000 is deactivated only for Internet txn.

SBI account holders may have received an SMS with following message, supposed to be from State Bank of India (SBI).

Your SBI Debit card ending with XX0000  is deactivated only for Internet txn. To activate send SMS "SWON ECOM 0000" to 09223966666. No change for ATM/POS usage
** Replace the four Zeros with last 4 digits of your debit card number

Recently many of the SBI account holder has losed their money due to a hi-tech ATM robbery which happened in Thiruvananthapuram, capital city of Kerala.

Joomla and Forum Integration - Integrating Forums to Joomla

Joomla is one of the most popular CMS opensource packages. It is very easier to develop website's using Joomla. You just need to download Joomla package from Joomla's Official website www.joomla.org  and install it on your domain and later adding customizations to templates and feature and Your website is ready :). Now a days most websites provides a forum section for it users for discussing various article topics, gathering opinions etc.



Following are some best know forum opensource packages which can be integrated with Joomla and create a new forum experience for users


Urgent Openings for PHP trainees, Andriod / IOS developers and PHP developers in Kochi Trivandrum Calicut and Bangalore. Please Send Your updated resumes to recruit.vo@gmail.com   Read more »
Member
Search This Blog