[SOLVED] What can you do with XSS?

[PugJr]

How severe of a condition is it if your page can be attacked with XSS? Like what is the very worst they can do to your website? Completely destroy it? Steal cookies? So more or less is a site inoperable assuming it can be XSSed?

[Daniel0]

Execute arbitrary Javascript on the client computer, and all that entails.

[PugJr]

Is there a way to disable jscript? So far my website has never used any jscript so if I was to disable it all together would that fix it?

 

 

EDIT: And by disabling it I don't mean by client side but like server side?

 

 

Edit: Oh wait a minute, what am I saying? All jscript is, is something on the webpage that the client reads, so how could you disable that?

[Daniel0]

You can turn it off in your user agent. Once you've sent the output from your server then you no longer control it. You'll just have to ensure that people have no means of injecting the Javascript in the first place.

[PugJr]

Alright. Thanks. Was hopeing there might have been an easy way out but that doesn't look like it.

[nrg_alpha]

According to Chris Shiflett's book on essential PHP security, XSS can wreck a range of havoc on applications that displays input from possibly spoofing forms to cross-site request forgery (CSRF) (which translates to sending arbitrary http requests from the victim) for example.

[PugJr]

Oh wait, I also have another question then.

 

Can XSS do anything that damages the server? Only the client right?

[nrg_alpha]

My understanding is it is the client, not the server. Think in terms of the display of webpages (and what can be manipulated if those pages are not secure enough).

 

You can also google XSS for more info as well, such as XSS info on wikipedia for example.

[PugJr]

Okay that'll be all. Thanks everyone!

[Daniel0]

You might want to read this: http://www.phpfreaks.com/tutorial/php-security

 

It's meant to be a primer on the most important security aspects in PHP.