Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

1. Implement input validation https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet#Example_Dangerous_HTML_Methods
1.1. Use encoding libraries available:
 - ESAPI4JS http://bit.ly/9hRTLH
 - Jquery-encoder
 - JSON sanitizer https://www.owasp.org/index.php/OWASP_JSON_Sanitizer#tab=Getting_Started
 - Java html sanitizer import org.owasp.html.HtmlPolicyBuilder;
 - org.owasp.html.Sanitizers
 https://github.com/OWASP/java-html-sanitizer/blob/master/docs/getting_started.md
 https://www.owasp.org/index.php/Testing_Checklist https://blog.whitehatsec.com/handling-untrusted-json-safely/
Automating scans, manual verification
Consider OnDemand?
Burp training
Books https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat_Sheet https://github.com/cure53/DOMPurify https://github.com/hackvertor/MentalJS http://www.qasec.com/2011/01/tips-for-tracking-security-related-defects-in-your-bugtracker.html
Input validation is essential to prevent untrusted input of getting executed, the use of encoding libraries available can assist on enforcing strict input control. 

Some Encoding Libraries:

OWASP ESAPI

OWASP Java Encoder Project

DOMPurify

MentalJS

Java HTML Sanitizer

OWASP JSON Sanitizer

OWASP Java HTML Sanitizer

OWASP Java Encoder Project

Prevention:

DOM based XSS Prevention Cheat Sheet

Handling Untrusted JSON safely

Testing:

Testing Checklist

  • No labels