#1
  1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,650
    Rep Power
    171

    Is this form secure for XSS


    Hi;

    Just wondering if the email field in this page is vulnrable to XSS or not.

    Thanks
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1045
    No, those two fields aren't vulnerable to XSS. But that's not the problem here.

    Never send the password back. All your protection doesn't help much when the plaintext passwords travel around the globe.

    The next major issue is that you're not using TLS and don't even offer it as an option (you're running around with an invalid certificate).



    // Yeah, and it might be a good idea to turn off the error messages and not test your code online. I'm getting all kinds of funny PHP notices.
    Last edited by Jacques1; December 20th, 2013 at 07:08 AM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,650
    Rep Power
    171
    Originally Posted by Jacques1
    No, those two fields aren't vulnerable to XSS. But that's not the problem here.

    Never send the password back. All your protection doesn't help much when the plaintext passwords travel around the globe.

    The next major issue is that you're not using TLS and don't even offer it as an option (you're running around with an invalid certificate).



    // Yeah, and it might be a good idea to turn off the error messages and not test your code online. I'm getting all kinds of funny PHP notices.
    Ok, I appreciate the tip on password.

    About TSL:

    Is it gonna fix the issue if I run the site under SSL?

    Thanks
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1045
    Originally Posted by English Breakfast Tea
    Is it gonna fix the issue if I run the site under SSL?
    The webserver does support TLS, but it offers an invalid certificate for a different domain (*.qnetau.com). You need a proper certificate for this domain.

    Afterwards, either use TLS on your whole site. Or at least use it on the login page. That is, always link to https://manage.atless.com.au/log_in. And also redirect all HTTP requests to the HTTPS URL.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo