Life long sharing . . .

Web Application Security – Cross-Site Scripting

Posted on: May 9, 2017

Some of the good sites explaining Cross-Site Scripting:

  • Preventing XSS Attack
  • XSS Protect, a project hosted on Google code.
  • For the entire Spring MVC app , you can specify the escaping in the web.xml:
    <context-param>
       <param-name>defaultHtmlEscape</param-name>
       <param-value>true</param-value>
    </context-param>

    But then the escaping applies only to the spring tags , like :

    <form:input path="formField" htmlEscape="true" />
  • Anti cross-site scripting (XSS) filter for Java web apps

  • Manual testing  for XSS
    • A good test string is >'>"><img src=x onerror=alert(0)>.
    • If your application doesn’t correctly escape this string, you will see an alert and will know that something went wrong.
    • Wherever your application handles user-supplied URLs, enter javascript:alert(0) or data:text/html,alert(0).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Archives

May 2017
M T W T F S S
« Apr    
1234567
891011121314
15161718192021
22232425262728
293031  

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 181 other followers

%d bloggers like this: