...
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim's victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
A 3.1 Defenses:
Encode untrusted data:
Data Type | Context | Code Sample | Defense |
String | HTML Body | <span>UNTRUSTED DATA</span> | |
String | Safe HTML Attributes | <input value="UNTRUSTED DATA"> |
|
String | GET Parameter | <a href="/site/search?value=UNTRUSTED DATA">clickme</a> | |
String | Untrusted URL in a SRC or HREF attribute | <a href="UNTRUSTED URL">clickme</a> |
|
String | CSS Value | <div style="width:UNTRUSTED DATA">Selection</div> |
|
String | JavaScript Variable | <script>var currentValue='UNTRUSTED DATA'</script> |
|
HTML | HTML Body | <div>UNTRUSTED HTML</div> | |
String | DOM XSS | <script>document.write("UNTRUSTED INPUT: " + document.location.hash);<script/> |
...
If these contain unvalidated user input, the application is vulnerable when used with application frameworks that cannot detect this issue.
If the application has to use user-supplied input in HTTP headers, it should check for double "“\n" n” or "“\r\n" n” values in the input data and eliminate it.
Many application servers and frameworks have basic protection against HTTP response splitting, but it is not adequate to task, and you should not allow unvalidated user input in HTTP headers.
...
- OWASP XSS Prevention Cheat Sheet
- XSS Prevention Rules Summary
- OWASP Cross-Site Scripting Article
- Unraveling Some Mysteries around DOM-based XSS
- ESAPI Project Home Page
- ESAPI Encoder API
- ASVS: Output Encoding/Escaping Requirements (V6)
- ASVS: Input Validation Requirements (V5)
- Testing Guide: 1st3 Chapters on Data Validation Testing
- OWASP Code Review Guide: Chapter on XSS Review
- CWE Entry 79 on Cross-Site Scripting
- Rsnake's Rsnake’s XSS Attack Cheat Sheet
- XXE Cheat Sheet
- XML Parser Evaluation
- RSPEC proposal about Java and XXE