Difference between revisions of "Talk:DOM based XSS Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
(example of markup)
 
 
Line 1: Line 1:
 +
=== ideas from Ryan ===
 +
 +
FYI – have you see our updated XSS Defense Demo?  http://www.modsecurity.org/demo/demo-deny-noescape.html.  We are able to dynamically inject eith MentalJS (Gareth Heyes' JS Sandbox), or DOMPurify (Mario's JS/DOM sanitizer).  This is pretty bad-ass as a methof or WAFs to help prevent XSS attack surface :)  You might want to update your OWASP Top 10 Controls content to mention it during either the XSS or Virtual Patching sections.
 +
 +
 +
 
=== current markup ===
 
=== current markup ===
  

Latest revision as of 15:42, 9 April 2014

ideas from Ryan

FYI – have you see our updated XSS Defense Demo? http://www.modsecurity.org/demo/demo-deny-noescape.html. We are able to dynamically inject eith MentalJS (Gareth Heyes' JS Sandbox), or DOMPurify (Mario's JS/DOM sanitizer). This is pretty bad-ass as a methof or WAFs to help prevent XSS attack surface :) You might want to update your OWASP Top 10 Controls content to mention it during either the XSS or Virtual Patching sections.


current markup

var x = document.createElement("a");
x.href="#”;
x.setAttribute("onclick", "\u0061\u006c\u0065\u0072\u0074\u0028\u0032\u0032\u0029");
var y = document.createTextNode("Click To Test");
x.appendChild(y);
document.body.appendChild(x);

... some text ...

for ( var \u0062=0; \u0062 < 10; \u0062++){
\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074
.\u0077\u0072\u0069\u0074\u0065\u006c\u006e
("\u0048\u0065\u006c\u006c\u006f\u0020\u0057\u006f\u0072\u006c\u0064");
}
\u0077\u0069\u006e\u0064\u006f\u0077
.\u0065\u0076\u0061\u006c (
\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074
.\u0077\u0072\u0069\u0074\u0065(111111111));


suggested markup

var x = document.createElement("a");
x.href="#”;
x.setAttribute("onclick", "\u0061\u006c\u0065\u0072\u0074\u0028\u0032\u0032\u0029");
var y = document.createTextNode("Click To Test");
x.appendChild(y);
document.body.appendChild(x);


... some text ...

for ( var \u0062=0; \u0062 < 10; \u0062++){
   \u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074                    
   .\u0077\u0072\u0069\u0074\u0065\u006c\u006e
   ("\u0048\u0065\u006c\u006c\u006f\u0020\u0057\u006f\u0072\u006c\u0064");
}
\u0077\u0069\u006e\u0064\u006f\u0077
.\u0065\u0076\u0061\u006c (
\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074
.\u0077\u0072\u0069\u0074\u0065(111111111));