Web Form Security Issues
Open Web Application Security Project
Cross Site Scripting (XSS) - Malicious JavaScript injections
What can it do to your site
- Change the presentation
- Execute an action
- Creating a spreading virus
Protecting your site
- Strip out single and double quotes or convert them to their HTML entities
- Convert < and > to < and >
- Convert all line breaks to
- Check your self-created code tags (such as [URL])
- Consider stripping out the word "script"
- Use regular expressions (server side) to validate and sanitize user input
- Validate CSS input
Cross-site request forgery -- exploits the trust that a site has for a particular user
What can it do to your site
- Exploit the site's trust in a user's identity
- Trick the user's browser into sending HTTP requests to a target site
- Involve HTTP requests that have side effects
- Samy is my hero - from myspace.com
Protecting your site
- transient authentication method
- include a secret, user-specific token in forms that is verified in addition to the cookie
SQL injection attack -- insertion or "injection" of an SQL query via the input data from the client to the application.
What can it do to your site
- loss of confidentiality
- connect to a system as another user with no previous knowledge of the password
- change information through the successful exploitation of an SQL Injection vulnerability
- make changes or even delete information with an SQL Injection attack
Protecting your site
- use accounts with the minimum privilege necessary
- use parameterized stored procedures (MySQL 5.0)
- A stored procedure is simply some SQL statements
