javascript - Mitigating XSS attacks from submitted data - is the < character the heart of all attacks? -

-

i have been perusing owasp xss filter evasion cheat sheet , appears (all?) user-input based xss attack vectors depend on ability submit < character or encoded version thereof. per owasp document, can't find attack vectors bypass need inject < character in way. if input filter checks , removes or replaces instances of < user-submitted data, xss risks mitigated?

specifically i'm asking if there other xss attack vectors against user-submitted data don't depend on < character.

obviously doesn't mitigate sql injection etc, that's separate issue.

thanks input!

i not going does prevent, address of allows through.

let's filter takes string, , returns string of < replaced empty strings. ignoring mess implementation if not careful. if inject un-trusted data html attributes or javascript strings, example, you've done nothing mitigate xss.

here's example of xss attack vector use bypass filterleftbrackets():

<div id="content" data-query="~injection-point~"></div>

payload be: q" onmouseover=alert('xss'); data-x="

resulting in:

<div id="content" data-query="q" onmouseover=alert('xss'); data-x=""></div>

here's 1 javascript:

var querymsg = "you searched for: " + "~injection-point~";

payload be: q"; alert('xss'); var x="

resulting in:

var querymsg = "you searched for: " + "q"; alert('xss'); var x="";

in both cases, needed escape ", have been '. thing injection depends entirely on context. thoughtful putting user input, , check have been used "break out" of constraints assume set.

in short, use library... don't come own scheme, , thoughtful of context.

please note evasion cheat sheet:

this cheat sheet people already understand basics of xss attacks want deep understanding of nuances regarding filter evasion.

you may find more helpful: https://www.owasp.org/index.php/xss_(cross_site_scripting)_prevention_cheat_sheet

i'm big fan of tutorial google: https://www.google.com/about/appsecurity/learning/xss/


Comments

Post a Comment

Popular posts from this blog

mysql - FireDac error 314 - but DLLs are in program directory -

-
i getting when trying access mysql database : [firedac][phys][mysql]-314. cannot load vendor library [libmysql.dll or libmysqlld.dll] this did not happen (unchanged) code, however, have upgraded windows 10 , had reinstall delphi xe8, system configuration matter. in order try solve problem, copied both of files c:\windows\sysytem32. when did not seem work, copied them \win32\debug, generated .exe resides. i imagine doing rather stupid, can't see what. the proper solution place driver file (eg., libmysql.dll ) in application's folder, or place installation location in fddrivers.ini file: [mysql] vendor=<folder>\libmysql.dll (recent versions of documentation seem use vendorlib instead of vendor in ini file.) see rad studio documentation topics configuring drivers (firedac) , connect mysql server (firedac) more information.
Read more

git - How to list all releases of public repository with GitHub API V3 -

-
so per documentation https://developer.github.com/v3/repos/releases/#list-releases-for-a-repository get /repos/:owner/:repo/releases should list relases , https://api.github.com/repos/jquery/jquery/releases should list releases in jquery project , not , why ? because repository doesn't have releases. has tags github presenting in releases page. for more clear example, see: https://github.com/hashicorp/terraform/releases which has both releases , tags showing on page, api shows releases: https://api.github.com/repos/hashicorp/terraform/releases
Read more

c++ - Getting C2512 "no default constructor" for `ClassA` error on the first parentheses of constructor for `ClassB`? -

-
my situation follows. let there header file classdeclarations.h , have following classes declared: class classa; class classb; class classa { public: classa(int x); classa(double y); int returninteger(void) { return m_x; } double returndouble(void) { return m_y; } private: int m_x; double m_y; } class classb { public: classb(int x); int returninteger(void) { return m_x; } private: int m_x; classa m_instancea_1; } let there *.cpp file called classdefns.cpp , define methods of classes declared in classdeclarations.h : #include classdeclarations.h classa::classa(int x) : m_x(x) { } classa::classa(double y) : m_y(y) { } classb::classb(int x) : m_x(x) { // line build error occurs m_instancea_1 = classa(0); } note have commented line compiler says there error: error c2512: 'classa' : no appropriate default constructor avai...
Read more