OWASP Cross Site Scripting (XSS)
September 10th, 2022
a) server-side rendering
// Don't do this
String queryBox = "<input type='text' value ='" + request.getParameters("search") + "' />";
b) front-end apps
😞 put content straight into DOM without escaping
c) admin / customer-service GUIs
eg. contact form
form submitted with hostile data
admin pulls up the record
executes on admin's browser
eg. log viewers
put hostile data in log string
admin uses web log viewer
executes on admin's browser
Â
solution
automated scanning tools
pattern: never trust input
scrub it on the way in
and
escape it on the way out
Â
ref: OWASP's Java Encoder Project
ref: XSS Prevention Cheat Sheet
Â
(src:
Â
This post was referenced in: