[OWASP ASVS] Why is XSS not called out in ASVS version 2?

Jim Manico jim.manico at owasp.org
Wed Sep 3 23:55:17 UTC 2014


> Agreed, let also correlate on the specific "mitigating control" and
> its associated level of "vigour" too.

+1 Good call, Christian.

I think it's almost fair to say:

For Reflective and Stored XSS : Output Encoding is the primary defense
For DOM XSS : Safe use of JS / JSON Parsing
Ultra advanced: CSP is the best defense

These could be different ASVS items (next rev) or different levels of 
rigor for a more catch-all XSS item.

Aloha,
Jim

On 9/3/14, 12:57 PM, Christian Heinrich wrote:
> Jim,
>
> On Thu, Sep 4, 2014 at 4:56 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> We need to be a little careful here. Output encoding is NOT the right
>> defense for every framework. If you are using heavy JavaScript and JSON type
>> architectures where there is no real page refresh, then you want to focus on
>> safe use of JS sinks and proper JSON parsing. If a standard says that output
>> encoding is the only XSS defense then it will be wrong and get even more
>> wrong over time.
> Agreed, let also correlate on the specific "mitigating control" and
> its associated level of "vigour" too.
>
>



More information about the Owasp-application-security-verification-standard mailing list