This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Abridged XSS Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
m (Output Encoding Types)
m (Output Encoding Types)
Line 87: Line 87:
 
|-
 
|-
 
| HTML Attribute Encoding
 
| HTML Attribute Encoding
| TODO
+
| Except for alphanumeric characters, escape all characters with the HTML Entity #xHH; format, including spaces.
 
|-
 
|-
 
| URL Encoding
 
| URL Encoding

Revision as of 21:38, 16 November 2011

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

Cross site scripting is the most common web vulnerability. It represents a serious threat because cross site scripting allows evil attacker code to run in a victim’s browser. This cheat sheet is a derivative work of the XSS (Cross Site Scripting) Prevention Cheat Sheet.

XSS Prevention Overview

Data Type Context Code Sample Defense
String HTML Body <span>UNTRUSTED DATA</span>
String Safe HTML Attributes <input type="text" name="fname" value="UNTRUSTED DATA">
  • Aggressive HTML Entity Encoding
  • Only place untrusted data into a whitelist of safe attributes.
  • Strictly validate unsafe attributes such as background, id and name.
String GET Parameter <a href="/site/search?value=UNTRUSTED DATA">clickme</a>
String Untrusted URL in a SRC or HREF attribute <a href="UNTRUSTED DATA">clickme</a>
<iframe src="UNTRUSTED DATA" />
  • Cannonicalize input
  • URL Validation
  • Safe URL verification
  • Whitelist http and https URL's only
  • Attribute encoder
String CSS <div style="width: UNTRUSTED DATA;">Selection</div>
String JavaScript <script>var currentValue='UNTRUSTED DATA';</script>
  • Ensure JavaScript variables are quoted
  • JavaScript Hex Encoding
  • JavaScript Unicode Encoding
  • Avoid backslash encoding (\" or \' or \\)
String HTML Comment <!-- UNTRUSTED DATA--> TODO
String JavaScript Comment /*
UNTRUSTED DATA
*/ 		TODO
HTML HTML Body <span>UNTRUSTED HTML</span>
String DOM XSS TODO
String AJAX/JSON Parsing TODO
  • Use JSON.parse or json2.js library to parse JSON
  • Avoid parsing JSON with eval()
String AJAX/XML Parsing TODO TODO

Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

Output Encoding Types

Encoding Type Encoding Mechanism
HTML Entity Encoding Convert & to &amp;
Convert < to &lt;
Convert > to &gt;
Convert " to &quot;
Convert ' to &#x27;
Convert / to &#x2F;
HTML Attribute Encoding Except for alphanumeric characters, escape all characters with the HTML Entity #xHH; format, including spaces.
URL Encoding Standard percent encoding, see: http://www.w3schools.com/tags/ref_urlencode.asp
JavaScript HEX Encoding Except for alphanumeric characters, escape all characters less than 256 with the \xHH format.
CSS Hex Encoding TODO

Related Articles

OWASP Cheat Sheets Project Homepage


V - T - E Cheat Sheets
Developer / Builder
Assessment / Breaker
Mobile
OpSec / Defender
Draft and Beta
All Pages In This Category

Authors and Primary Editors

Jim Manico - jim [at] owasp.org
Jeff Williams - jeff [at] aspectsecurity.com

Retrieved from "https://wiki.owasp.org/index.php?title=Abridged_XSS_Prevention_Cheat_Sheet&oldid=120326"