[Owasp-leaders] OWASP DOM based XSS definition, which looked a little off

Erlend Oftedal erlend.oftedal at owasp.org
Thu Oct 24 06:22:40 UTC 2013


I think the distinction between stored and. reflected is useful.
Remember that stored xss can occur on completely different locations.
Consider an attack where the attack string ends up in a web enabled log
in the admin gui. So for stored, sink and source can be far from each
other, while for reflected they are always found relatively close to
each other in the code.
Instead of talking about different types of XSS, from a defensive point
of view, we need to be able to identify sources and sinks to mitigate
with correct escaping. For reflected XSS, the source is the request.
For a stored XSS, the source is the databases, files and other types of
backend storage. Allthough it could also include web storage for
DOM-based. And then there is pure DOM-based where the browser is the
source.
And next the sink is either server-generated HTML/JavaScript, while the
sink is in JavaScript for all types of DOM-based.

Erlend
Fra: Giorgio Fedon
Sendt: 23.10.2013 23:25
Til: Achim
Kopi: owasp-leaders at lists.owasp.org
Emne: Re: [Owasp-leaders] OWASP DOM based XSS definition, which looked
a little off
On 10/23/2013 11:05 PM, Achim wrote:
> opps, my point was not to stick on a single XSS definition, but on
> reflected, persistent and DOM-based. As these are problems on different places.
> All others are variants of these, as we know today.
Ops I misunderstood. Sorry Achim.

However I think that the cathegories are:

- XSS or generic XSS
- DomXSS

I would remove "stored" as a cathegory. Both can be non persistent or
persistent but this is an addtitional aspect that makes the previous
more critical (if persistent)

-- 
| Giorgio Fedon, Owasp Italy
|
| In Input Validation
|            and Output Sanitization,
|                                   We Trust
--
| Web: https://www.owasp.org/index.php/Italy
|_____________________________________________.

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list