This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Abridged XSS Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
m (XSS Prevention Overview)
m (XSS Prevention Overview)
Line 52: Line 52:
 
|
 
|
 
| <ul><li>[[DOM based XSS Prevention Cheat Sheet]]</li></ul>
 
| <ul><li>[[DOM based XSS Prevention Cheat Sheet]]</li></ul>
 +
|-
 +
| String
 +
| HTML Comment
 +
| &lt;!-- <span style="color:red;">UNTRUSTED HTML</span>--&gt;
 +
| ?
 +
|-
 +
| String
 +
| JavaScript Comment
 +
| /*<br/><span style="color:red;">UNTRUSTED HTML</span><br/>*/
 +
| ?
 +
|-
 +
| String
 +
| AJAX/JSON Parsing
 +
| ?
 +
| ?
 +
|-
 +
| String
 +
| AJAX/XML Parsing
 +
| ?
 +
| ?
 
|}
 
|}
  

Revision as of 10:40, 16 November 2011

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

Cross site scripting is the most common web vulnerability. It represents a serious threat because cross site scripting allows evil attacker code to run in a victim’s browser. More details about XSS can be found here: https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

XSS Prevention Overview

Data Type Context Code Sample Defense
String HTML Body <span>UNTRUSTED DATA</span>
String HTML Attribute <input type="text" name="fname" value="UNTRUSTED DATA">
String GET Parameter <a href="/site/search?value=UNTRUSTED DATA">clickme</a>
String Untrusted URL rendered in an HREF tag
(or other HTML link contexts) 		<a href="UNTRUSTED DATA">clickme</a>
  • URL Validation
  • reject javascript: URL’s
  • Whitelist http, https and other safe URL types
  • Attribute encoding
  • safe URL verification
String CSS <div style="width: UNTRUSTED DATA;">Selection</div>
String JavaScript <script>var currentValue='UNTRUSTED DATA';</script>
  • Ensure JavaScript variables are quoted
  • JavaScript Hex Encoding
  • JavaScript Unicode Encoding
  • Avoid backslash encoding (\" or \' or \\)
HTML Text HTML Body <span>UNTRUSTED HTML</span>
String DOM XSS
String HTML Comment <!-- UNTRUSTED HTML-->  ?
String JavaScript Comment /*
UNTRUSTED HTML
*/ 		 ?
String AJAX/JSON Parsing  ?  ?
String AJAX/XML Parsing  ?  ?

Output Encoding Types

Encoding Type Encoding Mechanism
HTML Entity Encoding & --> &amp;
< --> &lt;
> --> &gt;
" --> &quot;
' --> &#x27; ' is not recommended
/ --> &#x2F; forward slash is included as it helps end an HTML entity
HTML Attribute Encoding TODO
URL Encoding TODO
JavaScript HEX Encoding TODO
CSS Hex Encoding TODO

Related Articles

OWASP Cheat Sheets Project Homepage


V - T - E Cheat Sheets
Developer / Builder
Assessment / Breaker
Mobile
OpSec / Defender
Draft and Beta
All Pages In This Category

Authors and Primary Editors

Jim Manico - jim [at] owasp.org
Jeff Williams - jeff [at] aspectsecurity.com

Retrieved from "https://wiki.owasp.org/index.php?title=Abridged_XSS_Prevention_Cheat_Sheet&oldid=120262"