Home Tutorial Cross Site Scripting Codeigniter

Cross Site Scripting Codeigniter

by MH RISHAD - 21 Nov 2018

Usually occurs when a web application (say website) takes input from a user via some web forms and user injects malicious code into it, and the field in which user has entered the malicious code is not validated correctly and data is stored in some database for future use. As a result, the malicious data inserted by hacker appears to be part of the website or web application and runs in victim’s web browser (as per privileges set for web application) and it can result into complete hold over victim’s machine based on the arbitrary code inserted by the hacker. Likes we studied in Reflected XSS, an XSS attack allows hackers to install browser based Key loggers, steal session cookies or sensitive information or change data on the web page usually download links etc.

Reflected Cross Site Scripting

· The attacker crafts a URL containing a malicious string and sends it to the victim.

· The victim is tricked by the attacker into requesting the URL from the website.

· The website includes the malicious string from the URL in the response.

· The victim’s browser executes the malicious script inside the response, sending the victim’s cookies to the attacker’s server.

How to prevent XSS attack in Codeigniter

In Codeigniter to prevent XSS attack using security class. The security class contains two methods

· Cross Site Request Forgery(CSRF) Token

· XSS Filtering

Cross Site Request Forgery (CSRF)

Cross Site Request Forgery token is a hash string which will include with each form request and form submission. and will checked with already saved token in cookie/session. If your both value matched it will accept your request else request will be decline.

To enable CSRF protection in your CodeIgniter application, edit the application/config/config.php file and look for $config[‘csrf_protection’]. Change the setting to TRUE (if it isn’t already) to enable protection.

Updating forms with CSRF Tokens

The easiest way to update your forms is to use the Form Helper. Load the form helper manually (in your controller) or add it to the application/config/autoload.php file. Using form_open() will automatically add in a new field into the form with a randomly generated token used to prevent CSRF.

<form action=”http://localhost/yoursite/contact-us" enctype=”multipart/form-data” method=”post”>
<input type=”hidden” name=”csrf_test_name” value=”abcdefgh12345678" />

If you don’t want to use form_open(), you can add it to your form manually with:

<input type=”hidden” name=”<?php echo $this->security->get_csrf_token_name(); ?>” value=”<?php echo $this->security->get_csrf_hash(); ?>”>

Test Cases in CSRF Token

IN Code-igniter after updating your form, test the code by Posting some data and the request should now go through as normal. To test it further, edit the value of the CSRF input (e.g. using Chrome), then submit the form again.

Changing the CSRF token will result in the above error message as CodeIgniter has detected a CSRF attack.

Cross Site Script Filtering (XSS)

CodeIgniter comes with a Cross Site Scripting prevention filter, which looks for commonly used techniques to trigger JavaScript or other types of code that attempt to hijack cookies or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.

$data = $this->security->xss_clean($data);


By using xss_clean() method to prevent xss attack.

Test Cases in XSS Filtering

Before using xss_clean() method I have submit contact form using JavaScript alert code is <script>alert(‘welcome to xss attack’);</script>.

After submitting it, it shows the alert box. This way attacker can also incorporate any script that might give him a callback and gets to know of our application’s vulnerability. In this example, a demo of a simple “welcome xss attck” alert was triggered on the Admin where this data is being shown.

I have to use xss_clean() method which will filter the malicious codeblock. We should do that before inserting into database. This method removes the <script> tags as well like shown before.

The above examples give a basic idea of potential Security breaches and a potential barrier when using PHP’s Code Igniter framework.


Collected From : Medium US



Leave a Comment

Required fields are marked *