[OWASP-Bangalore] Help with whitelists for protection against XSS

Akash akashmahajan at gmail.com
Wed Jun 10 07:19:50 EDT 2009


Yes basically that is how it is supposed to work. But there are
different languages, character sets

< in one charset might be something else in another char set. This
also differs a lot based on different browsers. Behaviour in IE6/FF3.1
etc. can be different.

Which is why white listing makes sense. But is more effective when
introduced as part of the whole software development life cycle. The
link i have mentioned has many examples for this.


2009/6/10 Prashanth Sivarajan <prash.siv at gmail.com>:
> I saw somewhere that everything that goes out of hte server should be HTML
> encoded (no white listing). So the special meaning of all the non alpha
> numerics are masked. Any comments on this?
>
> for example...a search string that contains XSS characters '<script' will be
> converted to &#60;script.
> The browser when reading the encoded chars will not interpret the special
> meaning of '<' it will be displayed as '<' ie. there is no double decoding.
>
>
> any comments on this?
>
> On Wed, Jun 10, 2009 at 3:48 PM, <raxitsheth2000 at gmail.com> wrote:
>>
>> you may find many stuff here.
>>
>> www.xssed.com
>>
>> Happy (anti-)Hacking :)
>>
>> -Raxit Sheth
>> www.m4mum.com
>>
>> On Jun 10, 2009 1:15pm, Chaitanya <chaitanya.sharma at gmail.com> wrote:
>> > Hi.
>> >
>> > I'm looking for help (tuts, papers, comments etc) related to using
>> > whitelists for protection against XSS.  I need to help some UI developers
>> > implement whitelists in a java (JSP) project.  Any help from the community
>> > will be appreciated. I'm sure this discussion will also profit others.
>> >
>> >
>> >
>> > Regards,
>> > Chaitanya
>> >
>> > http://blog.chaitanyasharma.in
>> >
>> _______________________________________________
>> OWASP-Bangalore mailing list
>> OWASP-Bangalore at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>>
>
>
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>
>



-- 
warm regards,
Akash Mahajan
----------------------------------------------------------
Security Consultant, (Web / Networks /
Servers / IT/ Virtualization)
Founder Headstart Network Foundation
----------------------------------------------------------
http://www.linkedin.com/in/akashm
http://network.headstart.in
----------------------------------------------------------


More information about the OWASP-Bangalore mailing list