Why does my site alert "xssvuln" when I use jqueryui autocomplete?

Question

I implement jqueryui autocomplete on my site but when i load that page, it alerts "xssvuln". but when i tried to run my site on localhost, theres no problem. Can you please help me fix this? And also, im running my site on ipage.

this is my js for autocomplete.

$.ajax({
type: 'post',
url: 'autocompleteCourse.php',
dataType: 'json',
success: function(data){
    var availableCourse = data;
    $( "#course" ).autocomplete({
        source: availableCourse,
        messages: {
            noResults: '',
            results: function() {}
        }
    });
    }
});

and this is my php file for autocomplete.

include'../utility/sqlcon.php';

$query = mysql_query("select * from autocomplete where input = 'course'") or die          (mysql_error());
while($q=mysql_fetch_array($query))
{
$courseOptions[] = $q['autoComplete'];
}

echo json_encode($courseOptions);

Answer 1

I would guess that this has little to do with jQueryUI autocomplete, but is probably an indication that someone has hacked your site, albeit in a friendly-warning way.

It's probably a hint that someone's managed to get something into your database like <script>alert('xssvuln');</script> as an indication that your site is vulnerable to cross-site scripting injection.

Can you have a look at the source code to your live page, and see where the xssvuln alert is coming from? Because I doubt it's the autocomplete, or at least not directly. If it happens when you use the autocomplete, I'd check the search results for whatever you're searching for in your live system to see if they include some Javascript put in there by a hacker, which you're then inserting into your page without proper escaping.

As an example: if your site lets your users add new content, and you simply accept anything they type, and then output it without doing any work to sanitise it -- removing script tags, using functions like htmlspecialchars() during output, etc. -- then you must realise that you're effectively allowing anyone on the internet to add code to your site.

One of the ways a hacker will quickly test for XSS vulnerability on a site they're probing is to find an input form on a site, and add script code to it, to see if it's passed through unsanitised. So they might find a comments form, and type:

<script>alert('xssvuln');</script>

...into it. If they then view the comment page on the site and instead of seeing the text <script>alert('xssvuln');</script> on the page (as we do here in Stack Overflow, for example) they see a Javascript alert, they know your site is vulnerable.

So, my advice:

• Find out where the alert is coming from. Chances are it's user-submitted content in your database.
• Read up on cross site scripting.
• Protect your inputs and outputs against this kind of Javascript injection.
• Cleanse your database of existing attacks, if necessary.

Answer 2

Someone has found a vulnerability in your site, and been generous enough to point it out to you.

It looks like your database has an entry along the lines of:

<script>alert('xssvuln');</script>  

inside it, which is being returned as a result of one of your queries and displayed in your page.

It's not good news to find out this is happening. Your application should really be checking that all data input by users is free of things like tags and so forth, such that things like this can't happen. Similarly, whenever you display data from your database on a page it's worthwhile running functions that check the data is clean too, because you can never be too sure.

To fix the problem, first I'd hit view source on your live page, and locate where the piece of script is. Once you know that, you can figure out where in your code the script was retrieved, and remove it from your database.

Please don't leave it at that, though. This hacker has highlighted an important vulnerability in your site that someone could easily exploit to do far more damaging things than bringing up an alert message.

Basically, whenever you are displaying text from your database to the user, be sure to wrap it in the following function:

htmlspecialchars($yourstring);

This is not 100% foolproof, but will go a long way towards reducing the likelihood of successful xss attacks on your site.