[OWASP-Bangalore] Help with whitelists for protection against XSS

Akash akashmahajan at gmail.com
Wed Jun 10 07:40:09 EDT 2009


2009/6/10 Prashanth Sivarajan <prash.siv at gmail.com>:
>  Does that total encoding solution i mentioned have any drawbacks? because
> it seems to be a simple solution but not many use it.

Encoding HTML entities is an effective defence against XSS. But that
is for output. White listing is meant to be used while taking input
for an app.

Refer to the OWASP page on this
http://www.owasp.org/index.php/Top_10_2007-A1

>
> On Wed, Jun 10, 2009 at 4:49 PM, Akash <akashmahajan at gmail.com> wrote:
>>
>> Yes basically that is how it is supposed to work. But there are
>> different languages, character sets
>>
>> < in one charset might be something else in another char set. This
>> also differs a lot based on different browsers. Behaviour in IE6/FF3.1
>> etc. can be different.
>>
>> Which is why white listing makes sense. But is more effective when
>> introduced as part of the whole software development life cycle. The
>> link i have mentioned has many examples for this.
>>
>>
>> 2009/6/10 Prashanth Sivarajan <prash.siv at gmail.com>:
>> > I saw somewhere that everything that goes out of hte server should be
>> > HTML
>> > encoded (no white listing). So the special meaning of all the non alpha
>> > numerics are masked. Any comments on this?
>> >
>> > for example...a search string that contains XSS characters '<script'
>> > will be
>> > converted to &#60;script.
>> > The browser when reading the encoded chars will not interpret the
>> > special
>> > meaning of '<' it will be displayed as '<' ie. there is no double
>> > decoding.
>> >
>> >
>> > any comments on this?
>> >
>> > On Wed, Jun 10, 2009 at 3:48 PM, <raxitsheth2000 at gmail.com> wrote:
>> >>
>> >> you may find many stuff here.
>> >>
>> >> www.xssed.com
>> >>
>> >> Happy (anti-)Hacking :)
>> >>
>> >> -Raxit Sheth
>> >> www.m4mum.com
>> >>
>> >> On Jun 10, 2009 1:15pm, Chaitanya <chaitanya.sharma at gmail.com> wrote:
>> >> > Hi.
>> >> >
>> >> > I'm looking for help (tuts, papers, comments etc) related to using
>> >> > whitelists for protection against XSS.  I need to help some UI
>> >> > developers
>> >> > implement whitelists in a java (JSP) project.  Any help from the
>> >> > community
>> >> > will be appreciated. I'm sure this discussion will also profit
>> >> > others.
>> >> >
>> >> >
>> >> >
>> >> > Regards,
>> >> > Chaitanya
>> >> >
>> >> > http://blog.chaitanyasharma.in
>> >> >
>> >> _______________________________________________
>> >> OWASP-Bangalore mailing list
>> >> OWASP-Bangalore at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>> >>
>> >
>> >
>> > _______________________________________________
>> > OWASP-Bangalore mailing list
>> > OWASP-Bangalore at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>> >
>> >
>>
>>
>>
>> --
>> warm regards,
>> Akash Mahajan
>> ----------------------------------------------------------
>> Security Consultant, (Web / Networks /
>> Servers / IT/ Virtualization)
>> Founder Headstart Network Foundation
>> ----------------------------------------------------------
>> http://www.linkedin.com/in/akashm
>> http://network.headstart.in
>> ----------------------------------------------------------
>> _______________________________________________
>> OWASP-Bangalore mailing list
>> OWASP-Bangalore at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>
>
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>
>



-- 
warm regards,
Akash Mahajan
----------------------------------------------------------
Security Consultant, (Web / Networks /
Servers / IT/ Virtualization)
Founder Headstart Network Foundation
----------------------------------------------------------
http://www.linkedin.com/in/akashm
http://network.headstart.in
----------------------------------------------------------


More information about the OWASP-Bangalore mailing list