[Esapi-user] xss and securitywrapper
jeff.williams at aspectsecurity.com
Wed May 9 14:52:35 UTC 2012
Absolutely agree. Doing "input encoding" is likely to break many applications. All of a sudden you're going to be searching for O'Conner in your database. And a million other problems. You should think this pattern: canonicalize, validate, output encode.
From: esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Chris Schmidt
Sent: Wednesday, May 09, 2012 9:26 AM
To: esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] xss and securitywrapper
-----BEGIN PGP SIGNED MESSAGE-----
The referenced blog post illustrates the absolute wrong way to address XSS. There are several problems with this approach:
1) Blacklist Filtering is bad mmkay
2) No contextual output encoding
3) No canonicalization
4) Blacklist Filtering is bad mmkay
You may want to start here:
The XSS Prevention Cheat Sheet is a great reference for addressing XSS issues in general.
Also the SecureWrapper provides wrapped requests that perform validation against attackable portions of the request and response -- this is mainly to prevent attacks list request splitting and file download injection. While this does provide a key piece of the protection against XSS attacks (Canonicalization/Validation) it is by no means a complete solution and by it's very definition will not prevent XSS attacks.
Take a look at the cheat sheet referenced above and let us know if you have any additional questions.
On 5/9/2012 4:06 AM, Özkan Pakdil wrote:
> I have a question. we are using
> for xss attack prevention
> and there is
> for this purpose in esapi
> am I correct ?
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Esapi-user mailing list
Esapi-user at lists.owasp.org
More information about the Esapi-user