Are you safe? Dangers of XSS…

If you allow the visitors of your site to contribute, for example with a simple comment this textbox, you take the risk that a malicious user inject evil code in a comment.

This evil code is then executed in the browser by your sites’ ordinary visitors. Scripts can steals passwords (maybe your own admin account), trick the user to give up other senestive data or download malvare because they trust your site.

This kind of security vulnerability is reffered to as XSS or Cross Site Scripting

Always have input validation and filter you input

A common aproach is to sanitize the data with a whitelisted or blacklisted characters to eliminate dangerous characters before storing or using the data. Another, is to always html encode data when it is rendered.  But it is harder than you think to get it right!

70 ways to write the same character

So you think you are smart and have a string replace or regular expression that removes “<” from the user’s input on your website to be safe? I guess you need to test again… I had too!

Did you know that there is 70 diffrent ways to write the “<” character in html? Read Robert Hansen’s good cheat sheet that lists known XSS attacks to get scared and take the problem serionsly.