xss
Config your IIS server to use the “Content-Security-Policy” header
From Ian Oxley’s Sitepoint article – Improving Web Security with the Content Security Policy, it would seem that you define your Content Security Policy (and, in turn, populate those headers) directly in your IIS configuration file. The example given in the linked post, <system.webServer> <httpProtocol> <customHeaders> <add name=”Content-Security-Policy” value=”default-src ‘self’;” /> </customHeaders> </httpProtocol> </system.webServer> demonstrates … Read more
HTML encode user input when storing or when displaying
i’d strongly suggest encoding information on the way out. storing raw data in the database is useful if you wish to change the way it’s viewed at a certain point. the flow should be something similar to: sanitize user input -> protect against sql injection -> db -> encode for display think about a situation … Read more
how to set Http header X-XSS-Protection
I doubt it’d work as just a meta tag. You may have to tell your web server to send it as a real header. In PHP, you’d do it like header(“X-XSS-Protection: 0”); In ASP.net: Response.AppendHeader(“X-XSS-Protection”,”0″) In Apache’s config: Header set X-XSS-Protection 0 In IIS, there’s a section in the properties for extra headers. It often … Read more
What is cross site scripting?
With cross-site scripting, it’s possible to infect the HTML document produced without causing the web server itself to be infected. An XSS attack uses the server as a vector to present malicious content back to a client, either instantly from the request (a reflected attack), or delayed though storage and retrieval (a stored attack). An … Read more
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Don’t do this with regular expressions. Remember, you’re not protecting just against valid HTML; you’re protecting against the DOM that web browsers create. Browsers can be tricked into producing valid DOM from invalid HTML quite easily. For example, see this list of obfuscated XSS attacks. Are you prepared to tailor a regex to prevent this … Read more
Why and When to use Django mark_safe() function
Django is a framework, which tries to do “the right” thing by default. This means when you do the most simple thing, you’re propably doing the right thing. Now let’s look at some template in php and python: PHP: <? echo $foo ?> May give: <script src=”evil”> Django: {{ foo }} Gives with the same … Read more
How Does Google Global Login Work?
A Google Login works like this: 1) You login, normally at a login page that is under the Google.com/accounts domain. 1a) If you aren’t on the Google.com/accounts domain, it is going to forward you there after you post the form. This can be found on sites like Blogger. Once you arrive at the Google.com/accounts domain, … Read more
XSS attacks and style attributes
This does not work due to click-jacking vulnerability. Example: <a href=”http://example.com/attack.html” style=”display: block; z-index: 100000; opacity: 0.5; position: fixed; top: 0px; left: 0; width: 1000000px; height: 100000px; background-color: red;”> </a> Found at: http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=164 The code would be perfectly validated but it may cause serious damage. So – rule of thumb use very strict white list … Read more