SOMEONE HACKED A WEBSITE THAT I MADE, AND I’M WONDERING HOW TO BLOCK THAT. (MORE DETAILS BELOW)?
Question by anomyn92:
Someone hacked a website that I made, and I am wondering how to block that. (more details below)?
I created a website as a part of a week-long game we played in one of my classes. Someone in my class told me later that week that they had hacked my website, but felt bad about it and changed it back. (other people in my class confirmed seeing the edit) They had changed some of the text on the page. They would not tell me how they did it, but they stated that they used javascript. I have been reasearching online, and I think that they used either XSS (cross-site scripting) or script insertion (probably the later of the two), but I do not comprehend it. I get the general concept of code insertion, but I do not comprehend how they get the URL to direct the user to the altered html instead of the regular html. (for reference purposes, I used google page creator) So my question is, how did they hack it, and how do I counter it? I thought that since I used a google product, my site would be secure (as opposed to using my home computer).
——————————————
Answer by Sly_Old_Mole
Give us the link to your site & i will check it out.
——————————————
Add your own answer in the comments!
about 2 years ago
I dont get your question??
< ?
html code
?>
or
< ?
echo html code dynamically
?>
about 2 years ago
Acually it is the way arround. HTML4 allows to use php or other scripting languages embedded in it.
For more infos get yourself a few tutorials right here:
Good luck,
Joe
http://www.php.net/manual/en/introduction.php
about 4 months ago
This is far to complex for a “straight” answer.
Enter the following terms into the search engine of your choice and it will lead you to solutions to thwart XSS and other attacks:
email injection
sql injection
prevent XSS
Many of these will lead to wikipedia and others.
There is one quote by Selena Sol: know it well.
“Every user input is a potential hack.”
This means any scripts you have that accept input must adequately CLEANSE THE INPUT. Don’t accept SQL sub-queries as input.
The second thing to understand is not all these attacks come directly from your forms. From a command line, I can request a script on your site without ever visiting the form page. So this allows me to circumnavigate and Javascript you may have to control input. YA won’t let me post the whole thing as an example, so imagine this, all on one line:
http://example.com/yourscript.php?
email=some_bad_data_that_will_hack_your_site
The real answer to “how they did it:” look at your server logs!
about 4 months ago
In order for someone to hack your website using JavaScript, there has to be a way that the user can post content that other users can see. Which tells me that you are using some form of server-side language to allow users to post content (PHP, ASP, CGI, or something else thats server-side).
To stop it, it is fairly simple, but each language would do it differently.
Heres what you want to do:
* Replace all ‘< ' in the input text with '<' and replace all '>‘ with ‘>’
* Something i saw a website do is take the word ‘script’ and replace it with ‘scipt’ that seems to be rather effective
I dont know about other languages, but PHP has a couple functions to strip tags from text (like strip_tags())
If you do those two, i think that would stop javascript injections.
If you still want to allow HTML, write a BBCode type of thing…for example:
Replace [b] with
Replace [/b] with
and so on