XSS is an abbreviation used for the term cross site scripting . XSS is a type of code injection attack .
XSS is done by attackers by entering HTML code or other client script code into a site. This attack will seem to come from the site.
As a result of this attack, among others, attackers can bypass security on the client side, get sensitive information, or store malicious applications.
The reason for the abbreviation used is XSS instead of CSS because CSS is already used for cascade style sheets . - id.wikipedia.org
Still confused?
I will explain again with the story.
Here's the story,
There is a form and there we are asked to fill in the name , password , and position .
However, because there is someone who is nosy. He did not fill in the name , but filled in the HTML and Javascript code.
So what will be stored in the database is the script above.
Automatically, when the data is displayed, the browser will execute the script.
The admin seems to be panicking.
Well, that's one form of XSS attack. The powerful attacker is free to insert scripts into our website.
Then, how do you deal with this in CodeIgniter?
CodeIgniter actually provides Global XSS Filtering features .
How to activate it, just change the value
FALSE
to TRUE
at application/config/config.php
.
Thus, all input from the user or attacker will be converted before saving to the database.
However, this feature is no longer available.
The 'global_xss_filtering' setting is DEPRECATED and kept solely for backwards-compatibility purposes. XSS escaping should be performed on output, not input!
It seems that the CI developer has realized, that XSS is a problem with output, not input.
Another way to overcome XSS is to validate input (
xss_clean
). However, as mentioned earlier. XSS issues in output not input.
Then, how?
Inevitably, we must first change the data that will be displayed so that it is not executed by the browser.
For example like the following.
echo htmlentities($data->nama, ENT_QUOTES, 'UTF-8');
the function
htmlentities()
will change the html code into a form that will not be executed.
We must type the function every time we want to display data.
Because it feels quite long, it should be a helper .
Make a helper in the directory
application/helpers
.
Give a name
xss_helper.php
, then fill in the code like the following.<?php
function cetak($str){
echo htmlentities($str, ENT_QUOTES, 'UTF-8');
}
After that, enter this helper into autoload . Open it,
application/config/autoload.php
then add it xss
to the helper autoload ./*
| -------------------------------------------------------------------
| Auto-load Helper Files
| -------------------------------------------------------------------
| Prototype:
|
| $autoload['helper'] = array('url', 'file');
*/
$autoload['helper'] = array('url','cookie','form','xss');
Now the function
echo
, we change with the function cetak()
.
How to use it, we just call the function
cetak()
in the place orview that might be exposed to XSS.<?php foreach($pejabat as $pjb){?>
<tr>
<td><?php cetak($pjb->nama) ?></td>
<td><?php cetak($pjb->nip) ?></td>
<td><?php cetak($pjb->jabatan) ?></td>
</tr>
<?php } ?>
Then, the text will be displayed as-is, no longer executed by the browser.
Reference:
- https://id.wikipedia.org/wiki/XSS
- http://ponderwell.net/2010/08/codeigniter-xss-protection-is-good-but-not-enough-by-itself/
- http://php.net/manual/en/function.htmlentities.php
- https://www.codeigniter.com/userguide3/libraries/security.html
- http://stackoverflow.com/questions/10925720/codeigniter-xss-clean-dilemma
- https://www.petanikode.com/codeigniter-serangan-xss/
0 Komentar untuk "How to Protect the Web from XSS Attacks on the CodeIgniter Framework"
Silahkan berkomentar sesuai artikel