PHP vulnerability solution (IV)-xss cross-site scripting

Source: Internet
Author: User
This article mainly introduces xss attacks against PHP websites. XSS attacks include malicious code on the webpage. when a visitor browses the webpage, the malicious code is executed or the administrator is tempted to browse the webpage by sending a message to the administrator to gain administrator privileges, control the entire website. Attackers can use cross-site request forgery to easily force users' browsers to send unintentional HTTP requests, such as fraudulent wire transfers, password changes, and illegal content downloads.

XSS (Cross Site Scripting) stands for Cross-Site Scripting attacks. to be different from Cascading Style Sheet (css ),

Cross-site scripting is mainly used by attackers to read cookies or other personal data of website users. Once attackers obtain the data, they can pretend to be the user to log on to the website, obtain the permissions of this user.

Common steps for cross-site scripting attacks:

1. the attacker sends an http link of xss to the target user in some way.

2. the target user logs on to the website and opens the xss link sent by the attacker during the login.

3. The website executes the xss attack script.

4. the target user page jumps to the attacker's website. The attacker obtains the target user information.

5. attackers use the information of the target user to log on to the website and complete the attack.


When a program with a cross-site vulnerability occurs, attackers can construct a http://www.sectop.com/search.php like this? Key = "method =" POST ">

The XSS script is inserted.

The defense method is to use htmlspecialchars to filter the output variables, or to submit them to the form of the file.


This prevents the $ _ SERVER ["PHP_SELF"] variable from being cross-site

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.