[Esapi-user] xss and securitywrapper

Chris Schmidt chris.schmidt at owasp.org
Wed May 9 13:26:28 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
The referenced blog post illustrates the absolute wrong way to address
XSS. There are several problems with this approach:

1) Blacklist Filtering is bad mmkay
2) No contextual output encoding
3) No canonicalization
4) Blacklist Filtering is bad mmkay

You may want to start here:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

The XSS Prevention Cheat Sheet is a great reference for addressing XSS
issues in general.

Also the SecureWrapper provides wrapped requests that perform validation
against attackable portions of the request and response -- this is
mainly to prevent attacks list request splitting and file download
injection. While this does provide a key piece of the protection against
XSS attacks (Canonicalization/Validation) it is by no means a complete
solution and by it's very definition will not prevent XSS attacks.

Take a look at the cheat sheet referenced above and let us know if you
have any additional questions.

Chris

On 5/9/2012 4:06 AM, Özkan Pakdil wrote:
> I have a question. we are using
> http://greatwebguy.com/programming/java/simple-cross-site-scripting-xss-servlet-filter/
> for xss attack prevention
> and there is
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/filters/SecurityWrapper.html
> for this purpose in esapi
> am I correct ?
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iQEcBAEBAgAGBQJPqnCEAAoJEEOkVJOBy86BLIIIAIj4C8bYySPNkzb7yqM48yEO
ZT3PHxzYNFhm184dWcbrgoqTxwOfjMXwU6md3cC6maVYPV/guAeFJiKWiyOWxg6q
2SnX5mZmQqI/HQ3p17hwpSIJC+V83QG5pfha8FXBHndVYWXY8Jx3xRsceEQ1pJyq
nQky2E6T7rEi9l0RaSJg+3e+NbvM9TMTTBOpZ1o75+Va1HI7jb18QpteGM2uHNno
K5FvJbXGHz73RRv+OdAHakYvEWo5EUskQH/gixfNUWOpuT0g/aEYHRIFw4n/vf8E
eqSpF3jco3dOOXQP4wEhWg3sBMLrlZBWgKTq1SJROjjWY9e5qLqB3jOYsS0EZHY=
=0OoA
-----END PGP SIGNATURE-----



More information about the Esapi-user mailing list