XSS is all about scripts sent to a web page and typically it is javascripts.
There are three types of XSS: Stored XSS, Reflected XSS and DOM based XSS
Top 10-2017 A7-Cross-Site Scripting (XSS)
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
To protect against XSS, you must have a strong Data Validation:
- Accept known good otherwise reject (white list), e.g. phone number, only ascii [a-zA-Z0-9])
- Sanitize. i.e. change the user input into an acceptable format. See Input Validation - OWASP Java HTML Sanitizer
- Reject known bad (blacklist), e.g.
, ' (SQL injection)
Beside Data Validation, you should add OWASP Security HTTP Headers. And especially 'X-XSS-Protection: 1; mode=block'.
No comments:
Post a Comment