Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: JS XSS protection library
From: Robin Wood <robin () digininja org>
Date: Wed, 17 Jul 2013 14:03:15 +0100

My use was just on a training app and i just wanted a way to push
people away from just dropping things into input fields and have them
use the proxy to modify traffic.

Trying to do this properly on client side is a waste of time in
reality, do it all server side.

Robin

On 17 July 2013 08:06, d4x <d4x () hackers it> wrote:
Hi Robin,
Recently I'm trying to secure my websites against XSS with injection of JS
in many ways. Unfortunately these solutions doesn't seem to work properly.

OSWAP basically say to work on whitelists, and (with Ruby) the Sanitize gem
is helping giving a first level of protection, stripping *all* malicious
tags from params...but it's not enough.

Some tries ( I.e starting with %22%20onmouseover) are still painful and at
this point I'm writing some code to escape but I am back to blacklisting,
which smell like a neverending run.

Adding code for stupid params like locale also slow down performance, but is
it a secondary problem.

d4x

Sent from my mobile

On 14/lug/2013, at 09:41, Robin Wood <robin () digininja org> wrote:

Thanks for the suggestions, as long as it gives the impression it is
filtering I'm happy so I'll see which of these is the easiest to drop in.

Robin

On Jul 14, 2013 3:47 AM, "Ryan Dewhurst" <ryandewhurst () gmail com> wrote:

The OWASP DOM XSS Prevention Cheat Sheet (if you haven't come across it
already) lists these:

"
1.ESAPI
2.Apache Commons String Utils
3.Jtidy
4.Your company’s custom implementation.

Some work on a black list while others ignore important characters like
“<” and “>”. ESAPI is one of the few which works on a whitelist and encodes
all non-alphanumeric characters. It is important to use an encoding library
that understands which characters can be used to exploit vulnerabilies in
their respective contexts. Misconceptions abound related to the proper
encoding that is required.
" - https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

I have no experience with any of them, so can't recommend any.


On Sun, Jul 7, 2013 at 8:51 PM, Robin Wood <robin () digininja org> wrote:

Can anyone suggest a JS XSS protection library?

Please don't preach they don't work its for a special project so even a
bad one will do.

Robin


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault