[Esapi-user] ricardozuasti.com - Stronger anti cross-site scripting (XSS) filter for Java web apps «

Luke Biddell luke.biddell at gmail.com
Mon Jul 9 09:36:42 UTC 2012


Agreed on all counts, no substitute for proper ESAPI validator use.

And from what I see it kinda crosses over with ESAPI's SecureRequestWrapper
which I'm already using.

But like you say it might prove useful to detect the low hanging fruit, I
might wire it into our AppSensor and see what pops up.

On 6 July 2012 23:42, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:

> On Fri, Jul 6, 2012 at 5:51 PM, Jeff Williams
> <jeff.williams at aspectsecurity.com> wrote:
> > On July 06, 2012 5:44 PM, Luke Biddell wrote:
> >>
> >> Bumped into this on my travels. Seems helpful from a blacklist
> perspective.
> >>
> >> Whaddaya think?
> >>
> >>
> http://ricardozuasti.com/2012/stronger-anti-cross-site-scripting-xss-filter-for-java-web-apps/
> >
> > I’m not crazy about this.  I suspect that <scri<script>pt> will sail
> > through, but I didn’t look very closely.  I’d stick to making sure your
> UI
> > components properly (contextually) encode untrusted data.
>
> Only looked at this for about 30 seconds, but didn't they also need to
> include things like "onclick" and "mouseover", etc.? I barely know any
> JavaScript, but since those attributes can call JavaScript, it seems like
> they should also be black-listed.
>
> I guess it might be something to catch low hanging fruit, I always fear
> that
> developers will find out it is there and thing the JavaEE filter will
> catch it
> so they no longer have to code defensively.  So it might be better than
> nothing, but not better than doing it properly. If your site's getting
> hacked
> and you can't take it down to patch, it might buy you some time by using
> it as a virtual patch.
>
> Anyhow, am I wrong about the "onclick" and "mouseover"? There are probably
> lots of others too.
>
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents."        -- Nathaniel Borenstein
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20120709/39a1ace2/attachment.html>


More information about the Esapi-user mailing list