Over a million developers have joined DZone.

PHP Security: XSS and Password Storage

DZone 's Guide to

PHP Security: XSS and Password Storage

An introductory look at the basics of Cross-Site Scripting, or XSS, and what hackers use it for, as well as the importance of password storage.

· Security Zone ·
Free Resource

When developing a web application, it is extremely important to have security in mind and be aware of the different risks. If one does not know the risks and the mechanics behind each vulnerability, there is no way to protect against it.

In the previous post in this series on PHP Security, we looked at types of vulnerabilities such as SQL Injection, Directory Traversal, and Code Injection. In Part 3 however, we shall be looking at XSS vulnerabilities and the importance of secure password storage.

Cross-Site Scripting

Cross-site Scripting or XSS is a vulnerability in which client-side code is injected into the output of a web application and executed in the user's browser. There are three types of XSS:

  • Reflected XSAS, in which the code executed is being sent as part of the request and included in the response body.

  • Stored (or persistent XSS), in which the code is being stored serverside, most commonly in a database, and is executed when the code is retrieved and outputted unescaped.

  • The last and less common is the DOM-based XSS in which an existing legitimate script is tricked into executing a malicious payload by manipulating the DOM and not the source of the page. The impact of successful exploitation varies from redirecting to malicious websites to stealing credentials, cookies, and CSRF tokens. It is one of the most common vulnerabilities found in web applications.

Password Storage

Passwords serve a sole purpose - to help a user authenticate against a system to access private data. Users need to provide a password which will be used by an authentication mechanism to verify whether access should be allowed or not. If in any way a third party gets access to your password, they will then be able to access private information such as your name, email, address, credit card number, photos, and financial data. That is why passwords should be kept secret/private.

For a system to be able to verify a user's password, it first needs to have it stored in some sort of database to check against. As we have seen in part 1 of this series, hackers can use SQL injection to exfiltrate passwords stored in databases, thus storing them securely is crucial.

security ,web application security ,cross-site scripting ,xss

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}