Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim's victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary

A 3.1 Defenses:

Encode untrusted data:

Data Type

Context

Code Sample

Defense

String

HTML Body

<span>UNTRUSTED DATA</span>

String

Safe HTML Attributes

<input value="UNTRUSTED DATA">

  • Aggressive HTML Entity Encoding
  • Only place untrusted data into a whitelist of safe attributes (listed below).
  • Strictly validate unsafe attributes such as background, id and name.

String

GET Parameter

<a href="/site/search?value=UNTRUSTED DATA">clickme</a>

String

Untrusted URL in a SRC or HREF attribute

<a href="UNTRUSTED URL">clickme</a>
<iframe src="UNTRUSTED URL" />

String

CSS Value

<div style="width:UNTRUSTED DATA">Selection</div>

String

JavaScript Variable

<script>var currentValue='UNTRUSTED DATA'</script>
<script>someFunction('UNTRUSTED DATA')</script>

  • Ensure JavaScript variables are quoted
  • JavaScript Hex Encoding
  • JavaScript Unicode Encoding
  • Avoid backslash encoding (\" or \' or
    )

HTML

HTML Body

<div>UNTRUSTED HTML</div>

String

DOM XSS

<script>document.write("UNTRUSTED INPUT: " + document.location.hash);<script/>

A 3.2. Sanitizers:

...

A 3.2.1

...

OWASP

...

Java

...

HTML

...

Sanitizer

...

Project

API

If you are using Maven then follow the maven directions to add a dependency. Otherwise, download prebuilt jars;or;git clone git@github.com:OWASP/java-html-sanitizer.git;and build the latest source.

...

Other contexts can be found in the org.owasp.Encode class methods, including CSS strings, CSS urls, XML contexts, URIs and URI components.

A 3.2.3 DOM Purify

...

DOMPurify

A 3.2.4 MentalJS

MentalJS is a JavaScript parser and sandbox. It whitelists JavaScript code by adding a "$" suffix to variables and accessors. https://github.com/hackvertor/MentalJS

A 3.2.5 OWASP JSON

...

https://www.owasp.org/index.php/OWASP_JSON_Sanitizer#tab=Input

Sanitizer

A 3.2.6 Third Party Javascript Management Cheat Sheet

...

A 3.3 AJAX Security Best Practices:

A 3.4 HTTP Response Splitting

...

If these contain unvalidated user input, the application is vulnerable when used with application frameworks that cannot detect this issue.
If the application has to use user-supplied input in HTTP headers, it should check for double "\n" n” or "\r\n" n” values in the input data and eliminate it.
Many application servers and frameworks have basic protection against HTTP response splitting, but it is not adequate to task, and you should not allow unvalidated user input in HTTP headers.

...

Code Block
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);

http://web-in-security.blogspot.in/2016/03/xxe-cheat-sheet.html

http://web-in-security.blogspot.de/2016/03/xml-parser-evaluation.html

...

Learn More