<HTML> <BODY> <BR> <BR><BR> Submit something: <BR> <FORM method="post"> <input type="text" size="100" name="namexss" ><br> <input type="submit" name="submit" value="Submit Form"><br> </FORM> </BODY> </HTML>
PHPIf you name this file testxss1.php and execute it using a simple XSS type attack as shown
ASP.NETIf you name this file testxss1.aspx and execute it using the same XSS attack string, you will get a nice error:
ConclusionIt shows how different frameworks offer different levels of security"out of the box". This is the exact same file. But run it through asp.net and you get better XSS protection. It's important that you understand the security features that your chosen technologies offer you.
These tests used default versions of asp.net version 4 and php version 5.3.3 installed locally on IIS. It is not very scientific and is not intended to show that any framework is better than another. The aim is to show that different products support security in different manners and that development teams need to understand their specific chosen products.