PHP Security Attacks and Prevention

XSS Attack- Cross site scripting

https://www.sitepoint.com/php-security-cross-site-scripting-attacks-xss/

CSRF ATTACK Example:

<?php
if(isset($_POST["pp"])){
echo $_POST["pp"];
}
?>
<form action="" method="post">
<textarea name="pp"></textarea>
<input type="submit">
</form>

//now paste within comment box:

<body onLoad="document.forms[0].submit()">
<form action="https://pnbnetbanking.org.in/">
<input type="accountnum" value="126172612">
<input type="amount" value="100">
<input type="submit">
</form>
</body>

You can also simple paste:

<script>alert("you are hacked");</script>
Or you can redirect a user
<script>window.location="http://phptechblog.com"</script>

Details OF CSRF Attack can be found here: https://en.wikipedia.org/wiki/Cross-site_request_forgery
https://www.incapsula.com/web-application-security/csrf-cross-site-request-forgery.html

Comparison between XSS and CSRF:

 

XSS

CSRF

Full Form

Cross-Site Scripting

Cross-Site Request Forgery

Definition

In XSS, a hacker injects a malicious client side script in a website. This script is added to cause some form of vulnerability to a victim.

It takes advantage of the targeted website’s trust in a user. A malicious attack is designed in such a way that a user sends malicious requests to the target website without having knowledge of the attack.

Dependency

Injection of arbitrary data by data that is not validated

On the functionality and features of the browser to retrieve and execute the attack bundle

Requirement of JavaScript

Yes

No

Condition

Acceptance of the malicious code by the sites

Malicious code is located on third party sites

Vulnerability

A site that is vulnerable to XSS attacks is also vulnerable to CSRF attacks

A site that is completely protected from XSS types of attacks is still most likely vulnerable to CSRF attacks.

Please check the following link for other security attacks and preventions:

https://php.earth/docs/security/intro