OWASP Cross Site Scripting (XSS)

a) server-side rendering

// Don't do this
String queryBox = "<input type='text' value ='" + request.getParameters("search") + "' />";

b) front-end apps 😞 put content straight into DOM without escaping c) admin / customer-service GUIs eg. contact form

• form submitted with hostile data
• admin pulls up the record
• executes on admin’s browser

eg. log viewers

• put hostile data in log string
• admin uses web log viewer
• executes on admin’s browser

solution

• automated scanning tools

pattern: never trust input

scrub it on the way in
and
escape it on the way out

ref: OWASP Java Encoder | OWASP Foundation ref: Cross Site Scripting Prevention - OWASP Cheat Sheet Series

(src:

• Model: OWASP top 10
• Book: release it! - Michael Nygard)

Backlinks

• Model: OWASP top 10