Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

1. Implement input validation https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet#Example_Dangerous_HTML_Methods
1.1. Use encoding libraries available:
 - ESAPI4JS http://bit.ly/9hRTLH
 - Jquery-encoder
 - JSON sanitizer https://www.owasp.org/index.php/OWASP_JSON_Sanitizer#tab=Getting_Started
 - Java html sanitizer import org.owasp.html.HtmlPolicyBuilder;
 - org.owasp.html.Sanitizers
 https://github.com/OWASP/java-html-sanitizer/blob/master/docs/getting_started.md
 https://www.owasp.org/index.php/Testing_Checklist https://blog.whitehatsec.com/handling-untrusted-json-safely/
Automating scans, manual verification
Consider OnDemand?
Burp training
Books https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat_Sheet https://github.com/cure53/DOMPurify https://github.com/hackvertor/MentalJS http://www.qasec.com/2011/01/tips-for-tracking-security-related-defects-in-your-bugtracker.html
Input validation is essential to prevent untrusted input of getting executed, the use of encoding libraries available can assist on enforcing strict input control. 

...

Java Security Libraries:

Apache Shiro: authentication, access control, authorization, session management and cryptography

Spring Security: authentication, access control.

Encoding Libraries:

OWASP ESAPI

OWASP Java Encoder Project

DOMPurify

jPurify

MentalJS

Java HTML Sanitizer

...

OWASP Java Encoder Project

Prevention:

HTML5 XSS attack vectors

DOM based XSS Prevention Cheat Sheet

Handling Untrusted JSON safely

Testing:

Jacks Codiscope

Testing Checklist