Sabtu, 04 Juni 2011

Trick melumpuhkan xss attack

XSS (CROs side scripting) is a means not include / HTML script (injection) into a website with the aim disrupt the website, 
Currently, according to the survey most attacks to penetrate the security of the website is to use XSS techniques.
And some time ago, from which I can informasih website also breathing in the attack by using XSS.
Where attackers opened one detail of news, and under the news available forum for visitors to be able to provide comments to the news., In the commentary box that he enter a XSS script code,, Example XSS scrip: Akibatanya every detail we open suda news in HTML code such injection (XSS) then details the story will never be opened and immediately replaced with the website address of This is one of the effects of XSS attacks that change the look. And the effect is more dangerous than XSS attacks is to steal chokies and damage the system. I will give you a little about how menaggulanginya informasih. That we must first create a filter to ignore any HTML and java script tag in the input penngunjung executables that, because of the scripts are XSS attacks began. As for functions we can use to menagkal XSS attacks are as follows: A. stripslashes function:
to menghilangakan sign (\) at each quote, either double quotes ('') instances if there are ignorant Friday he would be adding the slash into Friday \ 'at, but it can normalize by using the function strepslashes. B. Strip_tags function: To ignore the tag, both HTML tags and PHP tags. Examples Taste Sayange -> then the text will appear larger Sayange of the flavor text, but it can normalize by using the strip_tags function, which can be displayed as-is syntax strip_tags ("rasasayange"); C. ENT_QUOTES:
Because we use the function htmlspesialchars, it can add the command ENT_QUOTES which is a method for mengkonfersi double quotes / single quotes simultaneously. D. Htmlspesialchars Function:
Their role nearly equal to the function strip_tags, but lebig specific to the HTML tags and java script in the form of an entity or a special code, bleak: <,>,&".
Htmlspesialchars (''"); How to use, consider the following script. anti_injection function ($ d) { $ F = striplashes (strip_tags (htmlspesialchars ($ d.ENT_QUOTES))); Return $ f; }
$ Nama_komentar = anti_injection ($ _POST [nama_komentar]}; $ Url = anti_injection ($ _POST [isi_komentar]); $ Isi_komentar = anti_injection ($ _POST (isi_komentar]);
So, a comment which included visitors through the form will be filtered first by function anti_injection, if found XSS code, it will first be converted into plain text before it is saved to the database. Thus have I created this article, if there are deficiencies in understandable, please,,, suggestions and criticisms so I harapakn, if one is interested in this article Copas. Please important in included with the source,, thx 

0 komentar:

Posting Komentar


© ikbal sky | telah lulus sekolah blogger
Juni 2010