Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Cross-Site Scripting (XSS)"

From OWASP
Jump to: navigation, search
(Created page with "Return to Periodic Table Working View == Cross-Site Scripting (XSS)== === Root Cause Summary ==...")
 
Line 23: Line 23:
  
 
=== References ===
 
=== References ===
 +
[https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)  OWASP Cross-site Scripting (XSS)
 +
]<br>
 +
 +
[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet OWASP – XSS (Cross Site Scripting) Prevention Cheat Sheet]<br>
 +
 +
[http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting The Web Application Security Consortium – Cross Site Scripting]<br>
 +
 +
[http://capec.mitre.org/data/definitions/341.html Common Attack Pattern Emulation and Classification – CAPEC-341: WASC Threat Classification 2.0 – WASC-8 – Cross-Site Scripting]<br>
 +
 +
[http://www.cgisecurity.com/xss-faq.html cgisecurity - The Cross-Site Scripting (XSS) FAQ]<br>

Revision as of 12:20, 24 June 2013

Return to Periodic Table Working View

Contents

Cross-Site Scripting (XSS)

Root Cause Summary

Browser / Standards Solution

Browser vendors and standards bodies should agree on markup for elements to contain dynamic content (e.g. Flash, JavaScript, HTML, etc.) inline without allowing the dynamic content to perform malicious actions such as navigating the parent window, reading or writing data across trust boundaries, or other undesirable behaviors as determined by the owner of the containing page.

Perimeter Solution

None

Generic Framework Solution

Automatically sanitize any dynamic content before writing it into HTML, XML, or other documents that might be rendered by user agents that execute active content. If dynamic content must include dangerous elements, provide APIs which filter and sanitize potentially dangerous attributes of these elements. Exceptions and attribute configurations should be described by a policy file instead of hard-coded into the framework itself or into function calls.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

References

[https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) OWASP Cross-site Scripting (XSS) ]

OWASP – XSS (Cross Site Scripting) Prevention Cheat Sheet

The Web Application Security Consortium – Cross Site Scripting

Common Attack Pattern Emulation and Classification – CAPEC-341: WASC Threat Classification 2.0 – WASC-8 – Cross-Site Scripting

cgisecurity - The Cross-Site Scripting (XSS) FAQ