[Esapi-user] xss and securitywrapper

Jeff Williams jeff.williams at aspectsecurity.com
Wed May 9 14:52:35 UTC 2012


Absolutely agree.  Doing "input encoding" is likely to break many applications.  All of a sudden you're going to be searching for O'Conner in your database.  And a million other problems.  You should think this pattern: canonicalize, validate, output encode.

--Jeff


-----Original Message-----
From: esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Chris Schmidt
Sent: Wednesday, May 09, 2012 9:26 AM
To: esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] xss and securitywrapper


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
The referenced blog post illustrates the absolute wrong way to address XSS. There are several problems with this approach:

1) Blacklist Filtering is bad mmkay
2) No contextual output encoding
3) No canonicalization
4) Blacklist Filtering is bad mmkay

You may want to start here:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

The XSS Prevention Cheat Sheet is a great reference for addressing XSS issues in general.

Also the SecureWrapper provides wrapped requests that perform validation against attackable portions of the request and response -- this is mainly to prevent attacks list request splitting and file download injection. While this does provide a key piece of the protection against XSS attacks (Canonicalization/Validation) it is by no means a complete solution and by it's very definition will not prevent XSS attacks.

Take a look at the cheat sheet referenced above and let us know if you have any additional questions.

Chris

On 5/9/2012 4:06 AM, Özkan Pakdil wrote:
> I have a question. we are using
> http://greatwebguy.com/programming/java/simple-cross-site-scripting-xs
> s-servlet-filter/
> for xss attack prevention
> and there is
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/filters/SecurityWrapper.html
> for this purpose in esapi
> am I correct ?
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iQEcBAEBAgAGBQJPqnCEAAoJEEOkVJOBy86BLIIIAIj4C8bYySPNkzb7yqM48yEO
ZT3PHxzYNFhm184dWcbrgoqTxwOfjMXwU6md3cC6maVYPV/guAeFJiKWiyOWxg6q
2SnX5mZmQqI/HQ3p17hwpSIJC+V83QG5pfha8FXBHndVYWXY8Jx3xRsceEQ1pJyq
nQky2E6T7rEi9l0RaSJg+3e+NbvM9TMTTBOpZ1o75+Va1HI7jb18QpteGM2uHNno
K5FvJbXGHz73RRv+OdAHakYvEWo5EUskQH/gixfNUWOpuT0g/aEYHRIFw4n/vf8E
eqSpF3jco3dOOXQP4wEhWg3sBMLrlZBWgKTq1SJROjjWY9e5qLqB3jOYsS0EZHY=
=0OoA
-----END PGP SIGNATURE-----

_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list