[OWASP-Bangalore] Help with whitelists for protection against XSS

Prashanth Sivarajan prash.siv at gmail.com
Wed Jun 10 08:04:48 EDT 2009


Oh ok that explains my main doubts .... Thanks.. The link echos what u said
here..Input has to be validated and output has to be encoded....
But XSS is executed only at the client (browser)...so why take the pain of
filtering the input ...for all you know those characters may mean something
useful to the application itself.


On Wed, Jun 10, 2009 at 5:10 PM, Akash <akashmahajan at gmail.com> wrote:

> 2009/6/10 Prashanth Sivarajan <prash.siv at gmail.com>:
> >  Does that total encoding solution i mentioned have any drawbacks?
> because
> > it seems to be a simple solution but not many use it.
>
> Encoding HTML entities is an effective defence against XSS. But that
> is for output. White listing is meant to be used while taking input
> for an app.
>
> Refer to the OWASP page on this
> http://www.owasp.org/index.php/Top_10_2007-A1
>
> >
> > On Wed, Jun 10, 2009 at 4:49 PM, Akash <akashmahajan at gmail.com> wrote:
> >>
> >> Yes basically that is how it is supposed to work. But there are
> >> different languages, character sets
> >>
> >> < in one charset might be something else in another char set. This
> >> also differs a lot based on different browsers. Behaviour in IE6/FF3.1
> >> etc. can be different.
> >>
> >> Which is why white listing makes sense. But is more effective when
> >> introduced as part of the whole software development life cycle. The
> >> link i have mentioned has many examples for this.
> >>
> >>
> >> 2009/6/10 Prashanth Sivarajan <prash.siv at gmail.com>:
> >> > I saw somewhere that everything that goes out of hte server should be
> >> > HTML
> >> > encoded (no white listing). So the special meaning of all the non
> alpha
> >> > numerics are masked. Any comments on this?
> >> >
> >> > for example...a search string that contains XSS characters '<script'
> >> > will be
> >> > converted to &#60;script.
> >> > The browser when reading the encoded chars will not interpret the
> >> > special
> >> > meaning of '<' it will be displayed as '<' ie. there is no double
> >> > decoding.
> >> >
> >> >
> >> > any comments on this?
> >> >
> >> > On Wed, Jun 10, 2009 at 3:48 PM, <raxitsheth2000 at gmail.com> wrote:
> >> >>
> >> >> you may find many stuff here.
> >> >>
> >> >> www.xssed.com
> >> >>
> >> >> Happy (anti-)Hacking :)
> >> >>
> >> >> -Raxit Sheth
> >> >> www.m4mum.com
> >> >>
> >> >> On Jun 10, 2009 1:15pm, Chaitanya <chaitanya.sharma at gmail.com>
> wrote:
> >> >> > Hi.
> >> >> >
> >> >> > I'm looking for help (tuts, papers, comments etc) related to using
> >> >> > whitelists for protection against XSS.  I need to help some UI
> >> >> > developers
> >> >> > implement whitelists in a java (JSP) project.  Any help from the
> >> >> > community
> >> >> > will be appreciated. I'm sure this discussion will also profit
> >> >> > others.
> >> >> >
> >> >> >
> >> >> >
> >> >> > Regards,
> >> >> > Chaitanya
> >> >> >
> >> >> > http://blog.chaitanyasharma.in
> >> >> >
> >> >> _______________________________________________
> >> >> OWASP-Bangalore mailing list
> >> >> OWASP-Bangalore at lists.owasp.org
> >> >> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> >> >>
> >> >
> >> >
> >> > _______________________________________________
> >> > OWASP-Bangalore mailing list
> >> > OWASP-Bangalore at lists.owasp.org
> >> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> warm regards,
> >> Akash Mahajan
> >> ----------------------------------------------------------
> >> Security Consultant, (Web / Networks /
> >> Servers / IT/ Virtualization)
> >> Founder Headstart Network Foundation
> >> ----------------------------------------------------------
> >> http://www.linkedin.com/in/akashm
> >> http://network.headstart.in
> >> ----------------------------------------------------------
> >> _______________________________________________
> >> OWASP-Bangalore mailing list
> >> OWASP-Bangalore at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> >
> >
> > _______________________________________________
> > OWASP-Bangalore mailing list
> > OWASP-Bangalore at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> >
> >
>
>
>
> --
> warm regards,
> Akash Mahajan
> ----------------------------------------------------------
> Security Consultant, (Web / Networks /
> Servers / IT/ Virtualization)
> Founder Headstart Network Foundation
> ----------------------------------------------------------
> http://www.linkedin.com/in/akashm
> http://network.headstart.in
> ----------------------------------------------------------
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20090610/1f1868eb/attachment.html 


More information about the OWASP-Bangalore mailing list