[Owasp-leaders] Help Required : Best Practices against XSS on custom UI creation

Dave Wichers dave.wichers at owasp.org
Mon Nov 28 14:49:31 UTC 2016


What language is the application written in? There are tools like AntiSamy
that reduce the attack surface in scenarios like this as you can define a
policy of what is and is not allowed, but ultimately, if you let the admin
put in javascript there isn't much you can do.

-Dave


On Mon, Nov 28, 2016 at 8:24 AM, Dibyendu Sikdar <dibyendu.coder at gmail.com>
wrote:

> Hi Experts,
>
> Recently I have come across some projects where the application allows the
> admin to code and create custom dashboard using html5, javascript and css.
>
> Now all the admins can have access to these dashboards. And just because
> it can allow js to be used, a rouge admin can put an xss payload in any of
> these dashboard and can perform malicious activities which can affect other
> admins.
>
> What are some best practices can you recommend here ?
>
> --
> *Thanks and Regards,*
> *Dibyendu Sikdar*
> *https://www.linkedin.com/in/dibsyhex
> <https://www.linkedin.com/in/dibsyhex>*
> *@dibsyhex*
> *OWASP Project Leader *
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161128/855a824d/attachment.html>


More information about the OWASP-Leaders mailing list