XSS

From BC$ MobileTV Wiki
Jump to: navigation, search

Cross-Site Scripting (also referred to as Cross-Server Scripting or Cross-Service Scripting, commonly abbreviated XSS) is now a well-known and well-documented attack on Server resources through Web Applications and dynamic websites that use Server-Side code to create rich experiences on the web.


EXAMPLES

Excellent example of companies which have consistently had to plug XSS and other security vulnerabilities are Google[1] and Microsoft[2].


XSS

XSS attacks are broadly classified into 2 types:

  1. Non-Persistent
  2. Persistent

[3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]


CSRF

Cross-Site Request Forgery (CSRF), also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

[16] [17] [18] [19]

Tools


Resources


Tutorials

[28] [29] [30] [31] [32]

[33] [34]


External Links

References

  1. Infamous XSS Security Researcher Billy Rios pokes another flaw with Google Application: http://www.theregister.co.uk/2008/04/15/google_spreadsheet_bug/
  2. Microsoft's Hotmail Security compromised: http://www.usatoday.com/tech/news/2001-08-31-hotmail-security-side.htm
  3. Stronger Anti Cross-Site Scripting (XSS) Filter for Java Web Apps : https://dzone.com/articles/stronger-anti-cross-site
  4. Cross Site Scripting (XSS) Attack Tutorial with Examples, Types & Prevention: https://www.softwaretestinghelp.com/cross-site-scripting-xss-attack-test/
  5. XSS attack examples: http://www.thegeekstuff.com/2012/02/xss-attack-examples/
  6. XSS Prevention Cheat Sheet for Penetration Testers: https://www.hackingloops.com/xss-prevention-cheat-sheet-for-penetration-testers/
  7. Java Best Practices to Prevent Cross Site Scripting: https://stackoverflow.com/questions/1159729/java-best-practices-to-prevent-cross-site-scripting
  8. XSS prevention in JSP/Servlet web application: https://stackoverflow.com/questions/2658922/xss-prevention-in-jsp-servlet-web-application
  9. Javascript XSS Prevention: https://stackoverflow.com/questions/12799539/javascript-xss-prevention
  10. How to prevent XSS: https://portswigger.net/web-security/cross-site-scripting/preventing
  11. Stripping Dangerous Tags and Javascript from HTML: https://www.oreilly.com/library/view/python-cookbook/0596001673/ch11s07.html
  12. How to sanitize HTML with JavaScript: https://remarkablemark.org/blog/2019/11/29/javascript-sanitize-html/
  13. Strip HTML Tags in JavaScript: https://css-tricks.com/snippets/javascript/strip-html-tags-in-javascript/
  14. How to strip HTML tags from string in JavaScript?: https://stackoverflow.com/questions/5002111/how-to-strip-html-tags-from-string-in-javascript
  15. W3schools -- HTML DOM Events: https://www.w3schools.com/jsref/dom_obj_event.asp (events as attributes should be skipped/removed/stripped/disallowed/ignroed)
  16. Complete Guide to Cross-Site Request Forgery (CSRF/XSRF): https://reflectoring.io/complete-guide-to-csrf/
  17. 3 Hurdles to Getting CSRF Protection Correct: http://blog.coverity.com/2014/04/29/3-hurdles-getting-csrf-protection-correct/
  18. CSRF Protection in Slim 3 PHP Framework: http://dzone.com/articles/csrf-protection-in-slim-3-php-framework
  19. CSRF exploits -- That single GraphQL issue that you keep missing: https://blog.doyensec.com/2021/05/20/graphql-csrf.html
  20. Reshaping web defenses with strict Content Security Policy: http://security.googleblog.com/2016/09/reshaping-web-defenses-with-strict.html
  21. Google tackles XSS scripting flaws with new developer tools: http://www.zdnet.com/article/google-tackles-xss-scripting-flaws-with-new-developer-tools/
  22. XSS Filter Evasion Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
  23. HarlemShake on major Banking/Financial websites: https://www.youtube.com/watch?v=OldCbJVBgyo
  24. CSS3/jQuery Harlem shake: https://github.com/Elfoslav/harlem-shake
  25. harlem-shake.js: https://gist.github.com/jonathantneal/656b23d080994df1587f770f61d88c77
  26. Do `Harlem Shake` on any websites!: https://licson.net/post/do-harlem-shake-on-any-websites/
  27. How To - Shake an Image: https://www.w3schools.com/howto/howto_css_shake_image.asp
  28. Don't be eval(): https://24ways.org/2005/dont-be-eval
  29. Is eval evil? Just In Time (JIT) compiling: https://wanago.io/2018/11/19/how-does-eval-work-and-how-is-it-evil-javascript-eval/
  30. eval() isn’t evil, just misunderstood: https://humanwhocodes.com/blog/2013/06/25/eval-isnt-evil-just-misunderstood/
  31. eval is not Evil: https://www.stevefenton.co.uk/2017/10/eval-not-evil/
  32. Eval is Evil, But Not Why You May Think: https://medium.com/mail-online/eval-is-evil-but-not-why-you-may-think-25961f9b01bb
  33. Correct location for ESAPI.properties under web project: https://stackoverflow.com/questions/29842208/correct-location-for-esapi-properties-under-web-project
  34. ESAPI Configuration in AEM: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/esapi-configuration-in-aem/qaq-p/308774

See Also

AJAX | Browser | Security