[OWASP-Bangalore] Help with whitelists for protection against XSS

Prashanth Sivarajan prash.siv at gmail.com
Wed Jun 10 07:30:51 EDT 2009


 Does that total encoding solution i mentioned have any drawbacks? because
it seems to be a simple solution but not many use it.

On Wed, Jun 10, 2009 at 4:49 PM, Akash <akashmahajan at gmail.com> wrote:

> Yes basically that is how it is supposed to work. But there are
> different languages, character sets
>
> < in one charset might be something else in another char set. This
> also differs a lot based on different browsers. Behaviour in IE6/FF3.1
> etc. can be different.
>
> Which is why white listing makes sense. But is more effective when
> introduced as part of the whole software development life cycle. The
> link i have mentioned has many examples for this.
>
>
> 2009/6/10 Prashanth Sivarajan <prash.siv at gmail.com>:
> > I saw somewhere that everything that goes out of hte server should be
> HTML
> > encoded (no white listing). So the special meaning of all the non alpha
> > numerics are masked. Any comments on this?
> >
> > for example...a search string that contains XSS characters '<script' will
> be
> > converted to &#60;script.
> > The browser when reading the encoded chars will not interpret the special
> > meaning of '<' it will be displayed as '<' ie. there is no double
> decoding.
> >
> >
> > any comments on this?
> >
> > On Wed, Jun 10, 2009 at 3:48 PM, <raxitsheth2000 at gmail.com> wrote:
> >>
> >> you may find many stuff here.
> >>
> >> www.xssed.com
> >>
> >> Happy (anti-)Hacking :)
> >>
> >> -Raxit Sheth
> >> www.m4mum.com
> >>
> >> On Jun 10, 2009 1:15pm, Chaitanya <chaitanya.sharma at gmail.com> wrote:
> >> > Hi.
> >> >
> >> > I'm looking for help (tuts, papers, comments etc) related to using
> >> > whitelists for protection against XSS.  I need to help some UI
> developers
> >> > implement whitelists in a java (JSP) project.  Any help from the
> community
> >> > will be appreciated. I'm sure this discussion will also profit others.
> >> >
> >> >
> >> >
> >> > Regards,
> >> > Chaitanya
> >> >
> >> > http://blog.chaitanyasharma.in
> >> >
> >> _______________________________________________
> >> OWASP-Bangalore mailing list
> >> OWASP-Bangalore at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> >>
> >
> >
> > _______________________________________________
> > OWASP-Bangalore mailing list
> > OWASP-Bangalore at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> >
> >
>
>
>
> --
> warm regards,
> Akash Mahajan
> ----------------------------------------------------------
> Security Consultant, (Web / Networks /
> Servers / IT/ Virtualization)
> Founder Headstart Network Foundation
> ----------------------------------------------------------
> http://www.linkedin.com/in/akashm
> http://network.headstart.in
> ----------------------------------------------------------
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20090610/a2d021e8/attachment.html 


More information about the OWASP-Bangalore mailing list