Drongo_III Posted October 29, 2014 Share Posted October 29, 2014 Hello It was brought to my attention that my website is susceptible to reflected xss attacks. I should say that all pages on my site are static php. The attack was demonstrated to me by adding the following to the end of a page's url %22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E6f54e?sub=t For the sake of brevity this adds an image to my page with the onerror event firing the alert. Presumably this can be adapted to incorporate an external script. I've trawled around trying to find a concise checklist of what needs to be done to thwart this type of attack. The only solution I've come upon so far is to use Header set X-Content-Security-Policy "allow 'self' in the htaccess file and white list all legitimate scripts. My questions 1) Is using the x-content-securty-policy header actually a solid solution for guarding against reflected XSS? 2) What else should be on my checklist of things to do to guard against this specific attack? Any help would be very much appreciated! Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.