|
|
| (101 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| − | = DRAFT CHEAT SHEET - WORK IN PROGRESS =
| + | #redirect [[XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet]] |
| − | = Introduction =
| |
| − | | |
| − | Cross site scripting is the most common web vulnerability. It represents a serious threat because cross site scripting allows evil attacker code to run in a victim’s browser. More details about XSS can be found here: [https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29]
| |
| − | | |
| − | = XSS Prevention Overview =
| |
| − | | |
| − | {| class="wikitable"
| |
| − | |-
| |
| − | ! Data Type
| |
| − | ! Context
| |
| − | ! Code Sample
| |
| − | ! Defense
| |
| − | |-
| |
| − | | String
| |
| − | | HTML Body
| |
| − | | <span><span style="color:red;">UNTRUSTED DATA</span></span>
| |
| − | | <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content HTML Entity Encoding]</li></ul>
| |
| − | |-
| |
| − | | String
| |
| − | | HTML Attribute, quoted
| |
| − | | <span id="<span style="color:red;">UNTRUSTED DATA</span>"></span>
| |
| − | | <ul><li>HTML Entity Encode single and double quotes</li></ul>
| |
| − | |-
| |
| − | | String
| |
| − | | HTML Attribute, unquoted
| |
| − | | <span id=<span style="color:red;">UNTRUSTED DATA</span>></span>
| |
| − | | <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes Aggressive HTML Entity Encoding]</li></ul>
| |
| − | |-
| |
| − | | String
| |
| − | | GET Parameter
| |
| − | | <a href="/site/search?value=<span style="color:red;">UNTRUSTED DATA</span>">clickme</a>
| |
| − | | <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.235_-_URL_Escape_Before_Inserting_Untrusted_Data_into_HTML_URL_Parameter_Values URL Encoding]</li></ul>
| |
| − | |-
| |
| − | | String
| |
| − | | Untrusted URL rendered in an HREF tag<br/>(or other HTML link contexts)
| |
| − | | <a href="<span style="color:red;">UNTRUSTED DATA</span>">clickme</a>
| |
| − | | <ul><li>URL Validation<li>reject javascript: URL’s<li>Whitelist http, https and other safe URL types<li>Attribute encoding<li>safe URL verification</ul>
| |
| − | |-
| |
| − | | String
| |
| − | | CSS
| |
| − | | <div style="width: <span style="color:red;">UNTRUSTED DATA</span>;">Selection</div>
| |
| − | | <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.234_-_CSS_Escape_And_Strictly_Validate_Before_Inserting_Untrusted_Data_into_HTML_Style_Property_Values Strict structural validation]<li>CSS Hex encoding<li>good design of CSS Features</ul>
| |
| − | |-
| |
| − | | String
| |
| − | | JavaScript
| |
| − | | <script>var currentValue='<span style="color:red;">UNTRUSTED DATA</span>';</script>
| |
| − | | <ul><li>Ensure JavaScript variables are quoted</li><li>JavaScript Hex Encoding</li><li>JavaScript Unicode Encoding</li></ul>
| |
| − | |-
| |
| − | | String
| |
| − | | JavaScript Event Handler Attribute
| |
| − | | <input type="button" onclick="UNTRUSTED DATA" .../>
| |
| − | | <ul><li>Ensure UNTRUSTED DATA is quoted</li><li>JavaScript Hex or Unicode Encoding but NO backslash encoding (\" or \' or \\) </li></ul>
| |
| − | |-
| |
| − | | HTML Text
| |
| − | | HTML Body
| |
| − | | <span><span style="color:red;">UNTRUSTED HTML</span></span>
| |
| − | | <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.236_-_Use_an_HTML_Policy_engine_to_validate_or_clean_user-driven_HTML_in_an_outbound_way HTML Validation (JSoup, AntiSamy, HTML Sanitizer)]</li></ul>
| |
| − | |-
| |
| − | | String
| |
| − | | DOM XSS
| |
| − | |
| |
| − | | <ul><li>[[DOM based XSS Prevention Cheat Sheet]]</li></ul>
| |
| − | |}
| |
| − | | |
| − | = Output Encoding Types =
| |
| − | | |
| − | {| class="wikitable"
| |
| − | |-
| |
| − | ! Encoding Type
| |
| − | ! Encoding Mechanism
| |
| − | |-
| |
| − | | HTML Entity Encoding
| |
| − | | & --> &amp;<br/>< --> &lt;<br/>> --> &gt;<br/>" --> &quot;<br/>' --> &#x27; ' is not recommended<br/>/ --> &#x2F; forward slash is included as it helps end an HTML entity
| |
| − | |-
| |
| − | | HTML Attribute Encoding
| |
| − | | TODO
| |
| − | |-
| |
| − | | URL Encoding
| |
| − | | TODO
| |
| − | |-
| |
| − | | JavaScript HEX Encoding
| |
| − | | TODO
| |
| − | |-
| |
| − | | CSS Hex Encoding
| |
| − | | TODO
| |
| − | |}
| |
| − | | |
| − | = Related Articles =
| |
| − | | |
| − | {{Cheatsheet_Navigation}}
| |
| − | | |
| − | = Authors and Primary Editors =
| |
| − | | |
| − | Jim Manico - jim [at] owasp.org<br/>
| |
| − | Jeff Williams - jeff [at] aspectsecurity.com
| |
| − | | |
| − | [[Category:Cheatsheets]]
| |
