This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Abridged XSS Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
m (Introduction)
m (XSS Prevention)
Line 3: Line 3:
 
Cross site scripting is the most common web vulnerability.  Cross Site Scripting is a dangerous threat since it allows an attacker to trick a victim into executing malicious client-side script in a browser.  This cheat sheet is a derivative work of the [[XSS (Cross Site Scripting) Prevention Cheat Sheet]] and will assist web developers in eliminating XSS from their applications.
 
Cross site scripting is the most common web vulnerability.  Cross Site Scripting is a dangerous threat since it allows an attacker to trick a victim into executing malicious client-side script in a browser.  This cheat sheet is a derivative work of the [[XSS (Cross Site Scripting) Prevention Cheat Sheet]] and will assist web developers in eliminating XSS from their applications.
  
= XSS Prevention =
+
= XSS Prevention by Context =
 +
 
 +
The following snippets of HTML demonstrate how to safely render untrusted data in a variety of different contexts.
  
 
{| class="wikitable nowraplinks"
 
{| class="wikitable nowraplinks"
Line 20: Line 22:
 
| Safe HTML Attributes
 
| Safe HTML Attributes
 
| &lt;input type="text" name="fname" value="<span style="color:red;">UNTRUSTED DATA</span>">
 
| &lt;input type="text" name="fname" value="<span style="color:red;">UNTRUSTED DATA</span>">
| <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes Aggressive HTML Entity Encoding]</li><li>Only place untrusted data into a whitelist of safe attributes.</li><li>Strictly validate unsafe attributes such as background, id and name.</ul>
+
| <ul><li>[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes Aggressive HTML Entity Encoding]</li><li>Only place untrusted data into a whitelist of safe attributes (listed below).</li><li>Strictly validate unsafe attributes such as background, id and name.</ul>
 
|-
 
|-
 
| String
 
| String
Line 41: Line 43:
 
| &lt;script>var currentValue='<span style="color:red;">UNTRUSTED DATA</span>';&lt;/script><br/>&lt;script>someFunction('<span style="color:red;">UNTRUSTED DATA</span>');&lt;/script>
 
| &lt;script>var currentValue='<span style="color:red;">UNTRUSTED DATA</span>';&lt;/script><br/>&lt;script>someFunction('<span style="color:red;">UNTRUSTED DATA</span>');&lt;/script>
 
| <ul><li>Ensure JavaScript variables are quoted</li><li>JavaScript Hex Encoding</li><li>JavaScript Unicode Encoding</li><li>Avoid backslash encoding (\" or \' or \\)</li></ul>
 
| <ul><li>Ensure JavaScript variables are quoted</li><li>JavaScript Hex Encoding</li><li>JavaScript Unicode Encoding</li><li>Avoid backslash encoding (\" or \' or \\)</li></ul>
|-
 
| String
 
| HTML Comment
 
| &lt;!-- <span style="color:red;">UNTRUSTED DATA</span> --&gt;
 
| TODO
 
|-
 
| String
 
| JavaScript Comment
 
| /* <span style="color:red;">UNTRUSTED DATA</span> */
 
| <ul><li>Danger, for example Chrome JavaScript comments [http://sla.ckers.org/forum/read.php?24,36929]</li></ul>
 
 
|-
 
|-
 
| HTML
 
| HTML
Line 89: Line 81:
  
 
'''''Safe HTML Attributes include:''''' align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
 
'''''Safe HTML Attributes include:''''' align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
 +
 +
= XSS Prevention Dangerous Contexts =
 +
 +
The following snippets of HTML demonstrate dangerous contexts that developers should always avoid.
 +
 +
{| class="wikitable nowraplinks"
 +
|-
 +
! Data Type
 +
! Context
 +
! Code Sample
 +
! Danger
 +
|-
 +
| String
 +
| HTML Comment
 +
| &lt;!-- <span style="color:red;">UNTRUSTED DATA</span> --&gt;
 +
| <ul><li>There are a variety of browser quirks that make this context, even when encoded, dangerous, and therefor should be avoided.</li></ul>
 +
|-
 +
| String
 +
| JavaScript Comment
 +
| /* <span style="color:red;">UNTRUSTED DATA</span> */
 +
| <ul><li>Danger, for example Chrome JavaScript comments [http://sla.ckers.org/forum/read.php?24,36929]</li></ul>
  
 
= Output Encoding =
 
= Output Encoding =

Revision as of 03:17, 28 November 2011

Introduction

Cross site scripting is the most common web vulnerability. Cross Site Scripting is a dangerous threat since it allows an attacker to trick a victim into executing malicious client-side script in a browser. This cheat sheet is a derivative work of the XSS (Cross Site Scripting) Prevention Cheat Sheet and will assist web developers in eliminating XSS from their applications.

XSS Prevention by Context

The following snippets of HTML demonstrate how to safely render untrusted data in a variety of different contexts.

Data Type Context Code Sample Defense
String HTML Body <span>UNTRUSTED DATA</span>
String Safe HTML Attributes <input type="text" name="fname" value="UNTRUSTED DATA">
  • Aggressive HTML Entity Encoding
  • Only place untrusted data into a whitelist of safe attributes (listed below).
  • Strictly validate unsafe attributes such as background, id and name.
String GET Parameter <a href="/site/search?value=UNTRUSTED DATA">clickme</a>
String Untrusted URL in a SRC or HREF attribute <a href="UNTRUSTED DATA">clickme</a>
<iframe src="UNTRUSTED DATA" />
  • Cannonicalize input
  • URL Validation
  • Safe URL verification
  • Whitelist http and https URL's only
  • Attribute encoder
String CSS Value <div style="width: UNTRUSTED DATA;">Selection</div>
String JavaScript Variable <script>var currentValue='UNTRUSTED DATA';</script>
<script>someFunction('UNTRUSTED DATA');</script>
  • Ensure JavaScript variables are quoted
  • JavaScript Hex Encoding
  • JavaScript Unicode Encoding
  • Avoid backslash encoding (\" or \' or \\)
HTML HTML Body <div>UNTRUSTED HTML</div>
JavaScript HTML Body <div>UNTRUSTED JAVASCRIPT</div>
  • Sandboxing with tools such as JSReg
String DOM XSS TODO
String AJAX/JSON Parsing JSON.parse(UNTRUSTED JSON DATA)
  • Use JSON.parse or json2.js library to parse JSON
  • Avoid parsing JSON with eval() as it will execute any script included with the JSON
String AJAX/HTML TODO
  • Userdata must be properly encoded serverside according to the rules above
String AJAX/XML Parsing TODO TODO
String Framework Protections <span>UNTRUSTED DATA</span>

Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

XSS Prevention Dangerous Contexts

The following snippets of HTML demonstrate dangerous contexts that developers should always avoid.

Data Type Context Code Sample Danger
String HTML Comment <!-- UNTRUSTED DATA -->
  • There are a variety of browser quirks that make this context, even when encoded, dangerous, and therefor should be avoided.
String JavaScript Comment /* UNTRUSTED DATA */
  • Danger, for example Chrome JavaScript comments [1]

Output Encoding

The purpose of output encoding (as it relates to Cross Site Scripting) is to convert untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser. The following charts details a list of critical output encoding methods needed to stop Cross Site Scripting.

Encoding Type Encoding Mechanism
HTML Entity Encoding Convert & to &amp;
Convert < to &lt;
Convert > to &gt;
Convert " to &quot;
Convert ' to &#x27;
Convert / to &#x2F;
HTML Attribute Encoding Except for alphanumeric characters, escape all characters with the HTML Entity &#xHH; format, including spaces. (HH = Hex Value)
URL Encoding Standard percent encoding, see: http://www.w3schools.com/tags/ref_urlencode.asp
JavaScript Encoding Except for alphanumeric characters, escape all characters with the \uXXXX unicode escaping format (X = Integer).
CSS Hex Encoding CSS escaping supports \XX and \XXXXXX. Using a two character escape can cause problems if the next character continues the escape sequence. There are two solutions (a) Add a space after the CSS escape (will be ignored by the CSS parser) (b) use the full amount of CSS escaping possible by zero padding the value.

Related Articles

OWASP Cheat Sheets Project Homepage


V - T - E Cheat Sheets
Developer / Builder
Assessment / Breaker
Mobile
OpSec / Defender
Draft and Beta
All Pages In This Category

Authors and Primary Editors

Jim Manico - jim [at] owasp.org
Jeff Williams - jeff [at] aspectsecurity.com

Retrieved from "https://wiki.owasp.org/index.php?title=Abridged_XSS_Prevention_Cheat_Sheet&oldid=120816"