XSS Attack Prevention

Question

XSS Attack Prevention

I create a web page where the user can interact and perform basic operations with the file system (create the / dir file, delete the / dir file, navigate the file system) on the remote computer. A web page is basic HTML (UTF-8 encoded) and Javascript. I need to make this web page proof of XSS.

Failed to avoid all non-alphanumeric characters in user input (for protection against XSS-based DSS) and file name information (for protection against stored XSS) using Javascript (this outputs six percent hexadecimal values)?

I use only alphanumeric input. Also, since I am using percentage encoded hexadecimal values, I assume that the UTF encoding vulnerability should not be present.

Can anyone think of any security loophole in this mechanism?

+5

xss

Ambrax May 16, '09 at 18:01

source share

6 answers

Alo · Answer 1 · 2009-05-16T18:23:41+0000

Using javascript (this is what I think you are saying) to make escaping seems not too safe. It runs on the user's computer, and they can bypass the shielding mechanism with some effort.

What you are trying to do sounds right, but you need to do it on the server side.

AviD · Answer 2 · 2009-05-16T20:11:10+0000

A few notes:

As @Alo said, this should be done on the server side so that the attacker does not bypass your javascript at all and send malicious input directly to the server. However, as you noted, this should be done (in certain situations) ALSO on the client side to prevent DOM based XSS.
, UTF-8, , HTTP .. UTF-7.
- - ? ( ...) , XSS.

HTML XSS? , .

Gavin H · Answer 3 · 2009-05-16T20:20:23+0000

:

, GET POST, -.

, , POST.

GET, .

Zifre · Answer 4 · 2009-05-16T18:06:12+0000

, , , . , . , . , , , , , .

Demi · Answer 5 · 2009-05-16T18:21:27+0000

. - , , / /. , , .

, XSS ( "<", " > ", ";" ..), , . , , , XSS.

dontcallmi · Answer 6 · 2009-05-16T18:34:20+0000

XSS . , . Tt - , , . - . , % hex . , script . script utf-8. -XSS. Google OWASP .

XSS Attack Prevention

More articles: