Jump to content

Reflected XSS


Drongo_III

Recommended Posts

Hello

 

It was brought to my attention that my website is susceptible to reflected xss attacks. 

 

I should say that all pages on my site are static php.

 

The attack was demonstrated to me by adding the following to the end of a page's url

%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E6f54e?sub=t

For the sake of brevity this adds an image to my page with the onerror event firing the alert.  Presumably this can be adapted to incorporate an external script.

 

I've trawled around trying to find a concise checklist of what needs to be done to thwart this type of attack.

 

The only solution I've come upon so far is to use Header set X-Content-Security-Policy "allow 'self' in the htaccess file and white list all legitimate scripts.

 

 

My questions

 

1) Is using the x-content-securty-policy header actually a solid solution for guarding against reflected XSS?

2) What else should be on my checklist of things to do to guard against this specific attack?

 

Any help would be very much appreciated!

 

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.