Home
Latest images
Search
Register
Log inThe OWASP Top Ten and ESAPI Part 2
Page 1 of 1
The OWASP Top Ten and ESAPI Part 2
andry Tue Nov 09, 2010 2:57 am
The OWASP Top Ten and ESAPI - Part 2 - Cross Site Scripting (XSS)
This article will describe how to protect your J2EE application from XSS using ESAPI. As with all of the detail articles in this series, if you need a refresher on OWASP or ESAPI, please see the intro article The OWASP Top Ten and ESAPI.
Here is a slightly modified definition of XSS from OWASP:
XSS flaws occur whenever an application takes untrusted (typically user supplied) data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
As you can see, XSS essentially allows an attacker to splash whatever they want on the screen since the application doesn’t do any input validation or output encoding. This is not a big deal when you have benevolent users, but an attacker could, say, input some nasty JavaScript and cause quite a few problems. This is typically what happens - JavaScript is output and generally executes in the background so the user is unaware of what’s occurring.
In general there are 3 types of XSS: See
This article will describe how to protect your J2EE application from XSS using ESAPI. As with all of the detail articles in this series, if you need a refresher on OWASP or ESAPI, please see the intro article The OWASP Top Ten and ESAPI.
Here is a slightly modified definition of XSS from OWASP:
XSS flaws occur whenever an application takes untrusted (typically user supplied) data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
As you can see, XSS essentially allows an attacker to splash whatever they want on the screen since the application doesn’t do any input validation or output encoding. This is not a big deal when you have benevolent users, but an attacker could, say, input some nasty JavaScript and cause quite a few problems. This is typically what happens - JavaScript is output and generally executes in the background so the user is unaware of what’s occurring.
In general there are 3 types of XSS: See
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics» OWASP Top 5 and Mutillidae
» OWASP Zed Attack Proxy v1.1.0 Released
» The following services are part of the new offering:
» Remember SEO Is Part of an Overall Marketing Strategy
» Should You Include a Blog As Part of Your Web Design?
» OWASP Zed Attack Proxy v1.1.0 Released
» The following services are part of the new offering:
» Remember SEO Is Part of an Overall Marketing Strategy
» Should You Include a Blog As Part of Your Web Design?
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|