dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
WebGoat/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content10-off.adoc
misfir3 82ef171a50 XSS Lesson Modifications (#367) 
* initial cut on XSS, need to add some tests still

* initial unit tests for assignment endpoints

* updating header comment license thingy

* comment, clean up

* Stubs for security unit test

* Additional Unit Testing

* isEncoded and isNotEncoded Unit Tests added

* http-proxies updates

* update for XXE solutions

* Work-around to handle special chars in action ... currently to be able to match {userId} in hint creation/assignment for IDOR

* IDOR hints updated

* mitigation content update

* mitigation content update ... 2

* Lesson Overview updates

* including restart lesson fix for lesson overview
2017-07-10 08:33:10 -04:00

25 lines
637 B
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

== XSS Defense
* HTML entity input encoding
** Converting < and > to &lt; and &gt; before storage
* HTML entity output encoding
** Converting < and > to &lt; and &gt; before writing
* Input validation
** Positive model to allow valid characters only
** New attacks found everyday
*** negative filter not reliable
* Setting HTTPOnly as a cookie attribute
* Only allow post data to prevent reflected XSS
* Use language specific built-in mechanisms
** Page validation for .NET in web.config
+
----
<%page ValidateRequest="true" %>
----
** Struts
+
----
<bean:write ... >
----
*Any problems with these approaches?*
Reference in New Issue View Git Blame Copy Permalink