| WireSocket already does a terrfic job of securing sites from xss and sql attacks with top of the line security implementation. Without any editing to your scripts your sites and servers are secure from general xss attacks and sql injections. Here is something you can do to go a step forward. Here is a description of the steps that can be taken to prevent iframes from being uploaded directly from the browser.
A sample code is given at the end that can be embedded into the html.
Description:
Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet.
Defenses:
Validate your input paramaters with regulars expressions (Pattern Matching): http://www.regular-expressions.info
var objRegExp = /^\([1-9]\d{2}\)\s?\d{3}\-\d{4}$/; (Phone Number: (555)555-5555)
var objRegExp = /^\d{1,2}(\-|\/|\.)\d{1,2}\1\d{4}$/ (Date Format: mm/dd/yyyy)
var objRegExp = /(^-?\d\d*$)/; (Integer: digits or negative number)
Strip-out dangerous characters if not required in form submission:
& Ampersand
' Single Quote
" Double Quote
> Less Than
< Greater Than
( Open Bracket
) Close Bracket
[ Open Square Bracket
] Close Square Bracket
; Semicolon
: Colon
/ Forward Slash
{ Left Brace
} Right Brace
! Exclamation
-- Double Dash
= Equal Sign
_ Underscore
Encode required characters via the ISO 8859-1 Latin 1 character set: http://www.htmlhelp.com/reference/charset/iso032-063.html
Encode & to &
Encode ' to '
Encode " to "
Encode > to >
Encode < to <
Encode ( to )
Encode ) to (
Encode [ to ]
Encode ] to [
Encode ; to ;
Encode : to :
Encode / to /
Encode { to }
Encode } to {
Encode ! to !
Encode -- to --
Encode = to =
Encode _ to _
One minor defense, that's often worth doing, is the "HttpOnly" flag for cookies. Scripts that run in a web browser cannot access cookie values that have the HttpOnly flag set. This is currently implemented only for Microsoft Internet Explorer.
Code Examples:
ASP (VBSCRIPT) Simple Filter:
<%@ LANGUAGE="VBSCRIPT" %>
<%
// XSS Simple Filter
ExampleInput = ";:!--=&<'XSS_Check"">{}()[]"
ExampleOutput = HackerSafe_Filter(ExampleInput)
response.write(ExampleOutput)
function HackerSafe_Filter(cleanvar)
// Encode Ampersand
cleanvar = replace(cleanvar,"&", "&")
// Encode Single Quote
cleanvar = replace(cleanvar,"'", "'")
// Encode Double Quote
cleanvar = replace(cleanvar,"""", """)
// Encode Less Than
cleanvar = replace(cleanvar,">", ">")
// Encode Greater Than
cleanvar = replace(cleanvar,"<", "<")
// Encode Close Bracket
cleanvar = replace(cleanvar,")", ")")
// Encode Open Bracket
cleanvar = replace(cleanvar,"(", "(")
// Encode Close Square Bracket
cleanvar = replace(cleanvar,"]", "]")
// Encode Open Square Bracket
cleanvar = replace(cleanvar,"[", "[")
// Encode Semicolon
cleanvar = replace(cleanvar,";", ";")
// Encode Colon
cleanvar = replace(cleanvar,":", ":")
// Encode Forward Slash
cleanvar = replace(cleanvar,"/", "/")
// Encode Left Brace
cleanvar = replace(cleanvar,"}", "}")
// Encode Right Brace
cleanvar = replace(cleanvar,"{", "{")
// Encode Exclamation
cleanvar = replace(cleanvar,"!", "!")
// Encode Double Dash
cleanvar = replace(cleanvar,"--", "--")
// Encode Equal Sign
cleanvar = replace(cleanvar,"=", "=")
// Encode Underscore
cleanvar = replace(cleanvar,"_", "_")
HackerSafe_Filter = cleanvar
end function
%>
PHP Simple Filter:
// XSS Simple Filter
$ExampleInput = ";:!--=&<'XSS_Check\">{}()[]";
$ExampleOutput = HackerSafe_Filter($ExampleInput);
echo $ExampleOutput;
function HackerSafe_Filter($cleanvar){
// Encode Ampersand
$cleanvar = str_replace("&", "&",$cleanvar);
// Encode Single Quote
$cleanvar = str_replace("'", "'",$cleanvar);
// Encode Double Quote
$cleanvar = str_replace("\"", """,$cleanvar);
// Encode Less Than
$cleanvar = str_replace(">", ">",$cleanvar);
// Encode Greater Than
$cleanvar = str_replace("<", "<",$cleanvar);
// Encode Close Bracket
$cleanvar = str_replace(")", ")",$cleanvar);
// Encode Open Bracket
$cleanvar = str_replace("(", "(",$cleanvar);
// Encode Close Square Bracket
$cleanvar = str_replace("]", "]",$cleanvar);
// Encode Open Square Bracket
$cleanvar = str_replace("[", "[",$cleanvar);
// Encode Semicolon
$cleanvar = str_replace(";", ";",$cleanvar);
// Encode Colon
$cleanvar = str_replace(":", ":",$cleanvar);
// Encode Forward Slash
$cleanvar = str_replace("/", "/",$cleanvar);
// Encode Left Brace
$cleanvar = str_replace("}", "}",$cleanvar);
// Encode Right Brace
$cleanvar = str_replace("{", "{",$cleanvar);
// Encode Exclamation
$cleanvar = str_replace("!", "!",$cleanvar);
// Encode Double Dash
$cleanvar = str_replace("--", "--",$cleanvar);
// Encode Equal Sign
$cleanvar = str_replace("=", "=",$cleanvar);
// Encode Underscore
$cleanvar = str_replace("_", "_",$cleanvar);
Return $cleanvar;
}
?>
Read more about Cross Site Scripting -> http://en.wikipedia.org/wiki/Cross-site_scripting Source: IntegrityHost
|
 Add to Favourites
 Print this Article
|
