Categories: Application Security

PHP Code for Avoiding XSS Attacks

[adsenseyu2]

Before we go and discuss the PHP coding tips and techniques to avoid Cross-site scripting (XSS) attacks, lets try and understand quickly what is XSS attack.

XSS is a Web-based attack performed on vulnerable Web applications which ends up victimizing the end user rather than the application itself. In these attacks, malicious content is delivered to users primarily using JavaScript. The XSS attack happens when the web applications accepts the input from the end user without validating it. In XSS attack, the malicious code executes in the context of the victim’s session, allowing the attacker to bypass normal security restrictions. There are multiple good web pages to read about XSS such as OWASP, Wikipedia etc.

The code below sanitizes the input requests (remove JS code) against any Javascript code sent in the user input. Following are tips & techniques to avoid attacks from Cross-site Scripting (XSS) based threats in your PHP web application:
  1. Setting up OWASP ESAPI Library: Following are instructions to download and setup OWASP ESAPI Library for PHP
    • Download Tortoise SVN (32 bit or 64 bit) based upon your development environment (system) configuration. Once downloaded, install the SVN. To ensure that it is installed properly, right click anywhere on your system and you shall be able to see the link “SVN Checkout”.
    • Right click on desktop and click “svn checkout”. Paste the following link and download. Download PHP library for OWASP ESAPI. This files could be checked out from http://owasp-esapi-php.googlecode.com/svn/trunk/.
    • The files get downloaded inside the folder owasp-esapi-php.
  2. Configuring custom OWASP adapter: Following are instructions to download and configure custom OWASP adapter to work with OWASP ESAPI download above.
    • Create a “security” folder in your project and put the entire folder, owasp-esapi-php within this folder.
    • Download additional files (put inside security folder in the zip; copy these files) and put inside the security folder where you have put owasp-esapi-php folder mentioned above. One file is a security adapter, OWASPAdapter, which instantiate ESAPI object and assigns appropriate encode and validator. Other is SecurityFilter which works with OWASPAdapter to validate the input parameters. All other classes such as controllers instantiates the SecurityFilter and filters the input parameters against the XSS related inputs.
  3. Using the code in Controllers to sanitize requests against XSS
    • As said in above point, instantiate SecurityFilter in your controller files and filter the inputs against XSS inputs using following code. You may try and test with inputs from XSS cheatsheets (http://sage.math.washington.edu/home/wstein/www/home/agc/lit/javascript/xss.html)
      
      define( 'ROOT', $_SERVER['DOCUMENT_ROOT']  );
      include_once( ROOT . '/security/SecurityFilter.php' );
      
      $secFilter = new SecurityFilter();
      $request = $secFilter->sanitize( $_POST ); // In case, you are using $_GET, use $_GET instead.
      

      The above code should be put as one of the first code in your controller to sanitize input requests, before further processing. The $request array will have all the javascript code removed, thus, avoiding XSS attacks that is done primarily using Javascript code.

Above steps would help you get setup with security coding to avoid XSS within no time.

Ajitesh Kumar

I have been recently working in the area of Data analytics including Data Science and Machine Learning / Deep Learning. I am also passionate about different technologies including programming languages such as Java/JEE, Javascript, Python, R, Julia, etc, and technologies such as Blockchain, mobile computing, cloud-native technologies, application security, cloud computing platforms, big data, etc. I would love to connect with you on Linkedin. Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.

View Comments

  • For the file "OWASPAdapter.php", I found following code:-
    "require_once( ROOT . "/security/owasp-esapi-php/src/reference/WebValidator.php");"

    But WebValidator.php doesn't exist in "owasp-esapi-php". Please help! Thank you very much!

  • seems that WebValidator is a customization of
    owasp-esapi-php/src/reference/DefaultValidator.php
    unfortunately it doesn't come with default code... i would be interested in it too!

Share
Published by
Ajitesh Kumar
Tags: owaspPHPXSS

Recent Posts

Agentic Reasoning Design Patterns in AI: Examples

In recent years, artificial intelligence (AI) has evolved to include more sophisticated and capable agents,…

3 weeks ago

LLMs for Adaptive Learning & Personalized Education

Adaptive learning helps in tailoring learning experiences to fit the unique needs of each student.…

4 weeks ago

Sparse Mixture of Experts (MoE) Models: Examples

With the increasing demand for more powerful machine learning (ML) systems that can handle diverse…

1 month ago

Anxiety Disorder Detection & Machine Learning Techniques

Anxiety is a common mental health condition that affects millions of people around the world.…

1 month ago

Confounder Features & Machine Learning Models: Examples

In machine learning, confounder features or variables can significantly affect the accuracy and validity of…

1 month ago

Credit Card Fraud Detection & Machine Learning

Last updated: 26 Sept, 2024 Credit card fraud detection is a major concern for credit…

1 month ago