XSS (Cross Site Scripting) is one of the hacking technique that uses the methods of script injection through a specific gap on a web page. The gap can sometimes be through the input form, or by modifying the URL parameters. The script that is injected, there are several kinds, can be HTML tags, JavaScript, PHP, ASP (according to a web server), etc..
Now let's try the html form that uses POST method follows,
<html>The script above, will result in a form called Address. At first glance the form looks mediocre, but let's inject the HTML Tag below the form.
<head>
<title> Form in One file </ title>
</ Head>
<body> <center> <h5>
<? Php
if ($ _POST) {
echo "You live in". $ _POST ['Address'];
} Else {
?>
action="" <form method="post">
Address: <input type="text" name="alamat">
<input type="submit" value="Proses">
</ Form>
<? Php
}
?>
<br> <p>
Copyright@www.almansyurin.web.id
</ Body>
</ Html>
<body bgcolor="black"> <center> color="green" <font size="30">And look what happened, the web server will still process the HTML input tag, and menampilkanya on your web browser. Continue to the question is, what the impact of these XSS attacks? yet it also does not damage the server, just change tampilanya it? This will be our discussion later peeled off in the end.
This Site Was Hacked
</ Font> </ center> </ body>
Here's another example of XSS attacks are done through modification of parameters of the URL (Uniform Resource Locator). This is common in the HTML form that uses the GET method. Look at the following URL parameters,
http://www.almansyurin.web.id/onefile.php?alamat=MojokertoNow what if we insert the following JavaScript code on the back of these parameters. More precisely, replace the word "Mojokerto" with the script below,
<script> alert ("This Is Vulnerable !");</ script>And Javascript code will be processed, and displayed again in the web browser client. XSS attacks are called "Reflected XSS", because only be reflected back to the client.
Although HTML tags and Javascript injection is not a big impact on the server side, but it also includes vulnerable. Because it can damage the look of the website, with a little creativity from the hackers.
Well, what happens now if we inject the following JavaScript code,
<script> prompt ("Enter your PIN number?", "");</ script>Visitor / Client who still lay, certainly will easily believe, and then enter their PIN is. But how does it work, if it is only reflected in the web browser the hackers?
The answer is easy, by the HTML LINK. By creating links to the pages that we inject, the victims would be more gullible. LINK also can be input into the victim through the facilities GuestBook websites, or comments.
I am here to teach not to do evil, but that's exactly what it is we need to know. And for pencegahanya, we can use the special function "htmlspecialchars" of PHP. Add a function like the following examples,
/ / Instance method POSTSpecial function is to filter all the input from the client, for conversion to STRING. So it will show what it is.
$ Age = htmlspecialchars ($ _POST ['age']);
/ / GET method example
$ Name = htmlspecialchars ($ _GET ['name']);
/ / Example of direct
echo "Address:". htmlspecialchars ($ _POST ['address']);
As for the XSS attack mengguanakn PHP as an injection material, most will not work. Because the script will be directly converted into STRING. More easy it is, can not run PHP in PHP.
To outsmart it was, we could still use the function eval (), which of course God willing, we shall see in subsequent discussion. AJKH
