CRV2 RevCodeStoredAntiPatternIntro - Revision history

Johanna Curiel at 21:24, 3 May 2014

2014-05-03T21:24:09Z

Johanna Curiel at 21:23, 3 May 2014

2014-05-03T21:23:55Z

Johanna Curiel at 21:02, 3 May 2014

2014-05-03T21:02:39Z

Johanna Curiel at 20:45, 3 May 2014

2014-05-03T20:45:14Z

Johanna Curiel: Created page with "==Stored Cross Site Script (XSS) across Web Applications== This is one of the most common vulnerabilities found accordingly with OWASP Top 10 2013. When executing a Code revi..."

2014-05-03T20:42:34Z

Created page with "==Stored Cross Site Script (XSS) across Web Applications== This is one of the most common vulnerabilities found accordingly with OWASP Top 10 2013. When executing a Code revi..."

New page

==Stored Cross Site Script (XSS) across Web Applications==

This is one of the most common vulnerabilities found accordingly with OWASP Top 10 2013. When executing a Code review regarding stored XSS, it’s essential to understand the code containing XSS vulnerability, which in essence it will be JavaScript code inserted in an input field of a web form for example. The malicious user attempts to submit and save this code in the database or store system of the web application in question.

The following sections focus on showing what components in the applications must be reviewed in order to determine if they have been properly configured or coded to avoid XSS attacks. Most of the attacks occur due to bad configurations or missing mechanisms to validate input once a submission is done by a bad-intended user is executed.

Using multiple resources available
The XSS cheat sheets is a valuable resource to the code reviewer, to understand and control vulnerability related to XSS. Understand what kind of code is been injected and prepare the correct mechanisms to validate characters and code that can be recognized as XSS. Remember, many frameworks and applications already contain security libraries and components that can be used by the developer to achieve this, however if the developer is ignorant regarding the correct implementation or use of this instruments, the application will be vulnerable for this and many more type of vulnerabilities

@@ Line 8: / Line 8: @@
 The XSS Cheat Sheets is a valuable resource to the code reviewer, to understand and control vulnerabilities related to XSS. Understand what kind of code is been injected and prepare the correct mechanisms to validate characters and code that can be recognized as XSS. Remember, many frameworks and applications already contain security libraries and components that can be used by the developer to achieve this, however if the developer is ignorant regarding the correct implementation or use of these instruments, the application will be vulnerable for this and many more type of vulnerabilities.
-Read also the related chapter regarding understanding XSS vulnerabilities
+Read also the related chapters regarding understanding XSS vulnerabilities
 https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting
 https://www.owasp.org/index.php/Overall_approach_to_content_encoding_and_anti_XSS

@@ Line 1: / Line 1: @@
 ==Stored Cross Site Script (XSS) across Web Applications==
-This is one of the most common vulnerabilities found accordingly with OWASP Top 10 2013. When executing a Code review regarding stored XSS, it’s essential to understand the code containing XSS vulnerability, which in essence it will be JavaScript code inserted in an input field of a web form for example. The malicious user attempts to submit and save this code in the database or store system of the web application in question.
+This is one of the most common vulnerabilities found accordingly with OWASP Top 10 2013. When executing a Code review regarding stored XSS, it’s essential to understand the code containing XSS vulnerability, which in essence it will be JavaScript code inserted in an input field of a web form . The malicious user attempts to submit and save this code in the database or store system of the web application in question.
 The following sections focus on showing what components in the applications must be reviewed in order to determine if they have been properly configured or coded to avoid XSS attacks. Most of the attacks occur due to bad configurations or missing mechanisms to validate input, once a submission is done by a bad-intended user.
@@ Line 9: / Line 9: @@
 Read also the related chapter regarding understanding XSS vulnerabilities
 https://www.owasp.org/index.php/Overall_approach_to_content_encoding_and_anti_XSS

← Older revision		Revision as of 21:02, 3 May 2014
Line 6:		Line 6:

	==Using in-built resources available==		==Using in-built resources available==
−	The XSS Cheat Sheets is a valuable resource to the code reviewer, to understand and control vulnerabilities related to XSS. Understand what kind of code is been injected and prepare the correct mechanisms to validate characters and code that can be recognized as XSS. Remember, many frameworks and applications already contain security libraries and components that can be used by the developer to achieve this, however if the developer is ignorant regarding the correct implementation or use of these instruments, the application will be vulnerable for this and many more type of vulnerabilities	+	The XSS Cheat Sheets is a valuable resource to the code reviewer, to understand and control vulnerabilities related to XSS. Understand what kind of code is been injected and prepare the correct mechanisms to validate characters and code that can be recognized as XSS. Remember, many frameworks and applications already contain security libraries and components that can be used by the developer to achieve this, however if the developer is ignorant regarding the correct implementation or use of these instruments, the application will be vulnerable for this and many more type of vulnerabilities.
		+
		+	Read also the related chapter regarding understanding XSS vulnerabilities
		+	https://www.owasp.org/index.php/Overall_approach_to_content_encoding_and_anti_XSS

@@ Line 3: / Line 3: @@
 This is one of the most common vulnerabilities found accordingly with OWASP Top 10 2013. When executing a Code review regarding stored XSS, it’s essential to understand the code containing XSS vulnerability, which in essence it will be JavaScript code inserted in an input field of a web form for example. The malicious user attempts to submit and save this code in the database or store system of the web application in question.
-The following sections focus on showing what components in the applications must be reviewed in order to determine if they have been properly configured or coded to avoid XSS attacks. Most of the attacks occur due to bad configurations or missing mechanisms to validate input once a submission is done by a bad-intended user is executed.
+The following sections focus on showing what components in the applications must be reviewed in order to determine if they have been properly configured or coded to avoid XSS attacks. Most of the attacks occur due to bad configurations or missing mechanisms to validate input, once a submission is done by a bad-intended user.
-Using multiple resources available
+==Using in-built resources available==
-The XSS cheat sheets is a valuable resource to the code reviewer, to understand and control vulnerability related to XSS. Understand what kind of code is been injected and prepare the correct mechanisms to validate characters and code that can be recognized as XSS. Remember, many frameworks and applications already contain security libraries and components that can be used by the developer to achieve this, however if the developer is ignorant regarding the correct implementation or use of this instruments, the application will be vulnerable for this and many more type of vulnerabilities
+The XSS Cheat Sheets is a valuable resource to the code reviewer, to understand and control vulnerabilities related to XSS. Understand what kind of code is been injected and prepare the correct mechanisms to validate characters and code that can be recognized as XSS. Remember, many frameworks and applications already contain security libraries and components that can be used by the developer to achieve this, however if the developer is ignorant regarding the correct implementation or use of these instruments, the application will be vulnerable for this and many more type of vulnerabilities