|
|
| (84 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| − | <h1> DRAFT CHEAT SHEET - WORK IN PROGRESS </h1>
| + | #redirect [[XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet]] |
| − | <h1> Introduction </h1>
| |
| − | <p>Cross site scripting is the most common web vulnerability. It represents a serious threat because cross site scripting allows evil attacker code to run in a victim’s browser. More details about XSS can be found here: <a href="https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29">https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29</a>
| |
| − | </p>
| |
| − | <h1> XSS Prevention Overview </h1>
| |
| − | <table class="wikitable">
| |
| − | <tr>
| |
| − | <th> Data Type
| |
| − | </th><th> Context
| |
| − | </th><th> Code Sample
| |
| − | </th><th> Defense
| |
| − | </th></tr>
| |
| − | <tr>
| |
| − | <td> String
| |
| − | </td><td> HTML Body
| |
| − | </td><td> <span><span style="color:red;">UNTRUSTED DATA</span></span>
| |
| − | </td><td> <ul><li><a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content">HTML Entity Encoding</a></li></ul>
| |
| − | </td></tr>
| |
| − | <tr>
| |
| − | <td> String
| |
| − | </td><td> "safe" HTML Attributes<br /><br />align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
| |
| − | </td><td> <input type="text" name="fname" value="<span style="color:red;">UNTRUSTED DATA</span>">
| |
| − | </td><td> <ul><li><a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes">Aggressive HTML Entity Encoding</a></li><li>Only place untrusted data into a whitelist of safe attributes</li><li>Strictly validate unsafe attributes such as background, id and name (these can influence the DOM even when escaped</ul>
| |
| − | </td></tr>
| |
| − | <tr>
| |
| − | <td> String
| |
| − | </td><td> GET Parameter
| |
| − | </td><td> <a href="/site/search?value=<span style="color:red;">UNTRUSTED DATA</span>">clickme</a>
| |
| − | </td><td> <ul><li><a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.235_-_URL_Escape_Before_Inserting_Untrusted_Data_into_HTML_URL_Parameter_Values">URL Encoding</a></li></ul>
| |
| − | </td></tr>
| |
| − | <tr>
| |
| − | <td> String
| |
| − | </td><td> Untrusted URL rendered in an HREF tag<br />(or other HTML link context)
| |
| − | </td><td> <a href="<span style="color:red;">UNTRUSTED DATA</span>">clickme</a><br /><iframe src="<span style="color:red;">UNTRUSTED DATA</span>" />
| |
| − | </td><td> <ul><li>Cannonicalize input</li><li>URL Validation</li><li>Safe URL verification</li><li>Whitelist http and https URL's only</li><li>Attribute encoder</li></ul>
| |
| − | </td></tr>
| |
| − | <tr>
| |
| − | <td> String
| |
| − | </td><td> CSS
| |
| − | </td><td> <div style="width: <span style="color:red;">UNTRUSTED DATA</span>;">Selection</div>
| |
| − | </td><td> <ul><li><a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.234_-_CSS_Escape_And_Strictly_Validate_Before_Inserting_Untrusted_Data_into_HTML_Style_Property_Values">Strict structural validation</a><li>CSS Hex encoding<li>good design of CSS Features</ul>
| |
| − | </td></tr>
| |
| − | <tr>
| |
| − | <td> String
| |
| − | </td><td> JavaScript
| |
| − | </td><td> <script>var currentValue='<span style="color:red;">UNTRUSTED DATA</span>';</script>
| |
| − | </td><td> <ul><li>Ensure JavaScript variables are quoted</li><li>JavaScript Hex Encoding</li><li>JavaScript Unicode Encoding</li><li>Avoid backslash encoding (\" or \' or \\)</li></ul>
| |
| − | </td></tr>
| |
| − | <tr>
| |
| − | <td> String
| |
| − | </td><td> HTML Comment
| |
| − | </td><td> <!-- <span style="color:red;">UNTRUSTED DATA</span>-->
| |
| − | </td><td> TODO
| |
| − | </td></tr>
| |
| − | <tr>
| |
| − | <td> String
| |
| − | </td><td> JavaScript Comment
| |
| − | </td><td> /*<br /><span style="color:red;">UNTRUSTED DATA</span><br />*/
| |
| − | </td><td> TODO
| |
| − | </td></tr>
| |
| − | <tr>
| |
| − | <td> HTML Text
| |
| − | </td><td> HTML Body
| |
| − | </td><td> <span><span style="color:red;">UNTRUSTED HTML</span></span>
| |
| − | </td><td> <ul><li><a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.236_-_Use_an_HTML_Policy_engine_to_validate_or_clean_user-driven_HTML_in_an_outbound_way">HTML Validation (JSoup, AntiSamy, HTML Sanitizer)</a></li></ul>
| |
| − | </td></tr>
| |
| − | <tr>
| |
| − | <td> String
| |
| − | </td><td> DOM XSS
| |
| − | </td><td> TODO
| |
| − | </td><td> <ul><li><a _fcknotitle="true" href="DOM based XSS Prevention Cheat Sheet">DOM based XSS Prevention Cheat Sheet</a></li></ul>
| |
| − | </td></tr>
| |
| − | <tr>
| |
| − | <td> String
| |
| − | </td><td> AJAX/JSON Parsing
| |
| − | </td><td> TODO
| |
| − | </td><td> <ul><li>Use JSON.parse or json2.js library to parse JSON</li><li>Avoid parsing JSON with eval()</li></ul>
| |
| − | </td></tr>
| |
| − | <tr>
| |
| − | <td> String
| |
| − | </td><td> AJAX/XML Parsing
| |
| − | </td><td> TODO
| |
| − | </td><td> TODO
| |
| − | </td></tr></table>
| |
| − | <h1> Output Encoding Types </h1>
| |
| − | <table class="wikitable">
| |
| − | | |
| − | <tr>
| |
| − | <th> Encoding Type
| |
| − | </th><th> Encoding Mechanism
| |
| − | </th></tr>
| |
| − | <tr>
| |
| − | <td> HTML Entity Encoding
| |
| − | </td><td> & --> &amp;<br />< --> &lt;<br />> --> &gt;<br />" --> &quot;<br />' --> &#x27; &apos; is not recommended<br />/ --> &#x2F; forward slash is included as it helps end an HTML entity
| |
| − | </td></tr>
| |
| − | <tr>
| |
| − | <td> HTML Attribute Encoding
| |
| − | </td><td> TODO
| |
| − | </td></tr>
| |
| − | <tr>
| |
| − | <td> URL Encoding
| |
| − | </td><td> TODO
| |
| − | </td></tr>
| |
| − | <tr>
| |
| − | <td> JavaScript HEX Encoding
| |
| − | </td><td> TODO
| |
| − | </td></tr>
| |
| − | <tr>
| |
| − | <td> CSS Hex Encoding
| |
| − | </td><td> TODO
| |
| − | </td></tr></table>
| |
| − | <h1> Related Articles </h1>
| |
| − | <p><span class="fck_mw_template">{{Cheatsheet_Navigation}}</span>
| |
| − | </p>
| |
| − | <h1> Authors and Primary Editors </h1>
| |
| − | <p>Jim Manico - jim [at] owasp.org<br />
| |
| − | Jeff Williams - jeff [at] aspectsecurity.com
| |
| − | </p><a _fcknotitle="true" href="Category:Cheatsheets">Cheatsheets</a>
| |
