This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Abridged XSS Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
m (Output Encoding Types)
m (Output Encoding Types)
Line 87: Line 87:
 
|-
 
|-
 
| HTML Attribute Encoding
 
| HTML Attribute Encoding
| Except for alphanumeric characters, escape all characters with the HTML Entity &#xHH; format, including spaces.
+
| Except for alphanumeric characters, escape all characters with the HTML Entity &#xHH; format, including spaces. (HH = Hex Value)
 
|-
 
|-
 
| URL Encoding
 
| URL Encoding
 
| Standard percent encoding, see: [http://www.w3schools.com/tags/ref_urlencode.asp http://www.w3schools.com/tags/ref_urlencode.asp]
 
| Standard percent encoding, see: [http://www.w3schools.com/tags/ref_urlencode.asp http://www.w3schools.com/tags/ref_urlencode.asp]
 
|-
 
|-
| JavaScript HEX Encoding
+
| JavaScript Encoding
| Except for alphanumeric characters, escape all characters with the \xHH escaping format.
+
| Except for alphanumeric characters, escape all characters with the \uXXXX unicode escaping format (X = Integer).
 
|-
 
|-
 
| CSS Hex Encoding
 
| CSS Hex Encoding
| Except for alphanumeric characters, escape all characters with the \HH escaping format.
+
| CSS escaping supports \XX and \XXXXXX. Using a two character escape can cause problems if the next character continues the escape sequence. There are two solutions (a) Add a space after the CSS escape (will be ignored by the CSS parser) (b) use the full amount of CSS escaping possible by zero padding the value.
 
|}
 
|}
  

Revision as of 22:37, 16 November 2011

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

Cross site scripting is the most common web vulnerability. It represents a serious threat because cross site scripting allows evil attacker code to run in a victim’s browser. This cheat sheet is a derivative work of the XSS (Cross Site Scripting) Prevention Cheat Sheet.

XSS Prevention Overview

Data Type Context Code Sample Defense
String HTML Body <span>UNTRUSTED DATA</span>
String Safe HTML Attributes <input type="text" name="fname" value="UNTRUSTED DATA">
  • Aggressive HTML Entity Encoding
  • Only place untrusted data into a whitelist of safe attributes.
  • Strictly validate unsafe attributes such as background, id and name.
String GET Parameter <a href="/site/search?value=UNTRUSTED DATA">clickme</a>
String Untrusted URL in a SRC or HREF attribute <a href="UNTRUSTED DATA">clickme</a>
<iframe src="UNTRUSTED DATA" />
  • Cannonicalize input
  • URL Validation
  • Safe URL verification
  • Whitelist http and https URL's only
  • Attribute encoder
String CSS <div style="width: UNTRUSTED DATA;">Selection</div>
String JavaScript <script>var currentValue='UNTRUSTED DATA';</script>
  • Ensure JavaScript variables are quoted
  • JavaScript Hex Encoding
  • JavaScript Unicode Encoding
  • Avoid backslash encoding (\" or \' or \\)
String HTML Comment <!-- UNTRUSTED DATA--> TODO
String JavaScript Comment /*
UNTRUSTED DATA
*/ 		TODO
HTML HTML Body <span>UNTRUSTED HTML</span>
String DOM XSS TODO
String AJAX/JSON Parsing TODO
  • Use JSON.parse or json2.js library to parse JSON
  • Avoid parsing JSON with eval()
String AJAX/XML Parsing TODO TODO

Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

Output Encoding Types

Encoding Type Encoding Mechanism
HTML Entity Encoding Convert & to &amp;
Convert < to &lt;
Convert > to &gt;
Convert " to &quot;
Convert ' to &#x27;
Convert / to &#x2F;
HTML Attribute Encoding Except for alphanumeric characters, escape all characters with the HTML Entity &#xHH; format, including spaces. (HH = Hex Value)
URL Encoding Standard percent encoding, see: http://www.w3schools.com/tags/ref_urlencode.asp
JavaScript Encoding Except for alphanumeric characters, escape all characters with the \uXXXX unicode escaping format (X = Integer).
CSS Hex Encoding CSS escaping supports \XX and \XXXXXX. Using a two character escape can cause problems if the next character continues the escape sequence. There are two solutions (a) Add a space after the CSS escape (will be ignored by the CSS parser) (b) use the full amount of CSS escaping possible by zero padding the value.

Related Articles

OWASP Cheat Sheets Project Homepage


V - T - E Cheat Sheets
Developer / Builder
Assessment / Breaker
Mobile
OpSec / Defender
Draft and Beta
All Pages In This Category

Authors and Primary Editors

Jim Manico - jim [at] owasp.org
Jeff Williams - jeff [at] aspectsecurity.com

Retrieved from "https://wiki.owasp.org/index.php?title=Abridged_XSS_Prevention_Cheat_Sheet&oldid=120332"