This is typically a problem if you are using JSONP to transfer data. Consider a website consisting of a domain A that loads data from domain B. The user has to be authenticated to site A and B, and because the Same Origin Policy prevents older browsers from communicating directly with a different domain (B) … Read more
You can try OWASP Java HTML Sanitizer. It is very simple to use. PolicyFactory policy = new HtmlPolicyBuilder() .allowElements(“a”) .allowUrlProtocols(“https”) .allowAttributes(“href”).onElements(“a”) .requireRelNofollowOnLinks() .build(); String safeHTML = policy.sanitize(untrustedHTML);
This potential xss vulnerability can be avoided by using the correct Content-Type. Based on RFC-4627 all JSON responses should use the application/json type. The following code is not vulnerable to xss, go ahead test it: <?php header(‘Content-type: application/json’); header(“x-content-type-options: nosniff”); print $_GET[‘json’]; ?> The nosniff header is used to disable content-sniffing on old versions of … Read more
Why are Ajax HTTP Requests not allowed to cross domain boundaries. Because AJAX requests are (a) submitted with user credentials, and (b) allow the caller to read the returned data. It is a combination of these factors that can result in a vulnerability. There are proposals to add a form of cross-domain AJAX that omits … Read more
If the error is shown even you send the right header, check if you send the header perhaps twice. This is shown in the error-console below network and you click on any file. Sending the header twice can happen if for the server add_header X-XSS-Protection “1; mode=block”; is noted in two different include-files or one … Read more
Strictly speaking, to prevent HTML injection, you need only encode < as <. If user input is going to be put in an attribute, also encode ” as ". If you’re doing things right and using properly quoted attributes, you don’t need to worry about >. However, if you’re not certain of this you should … Read more
Feel free to add to this list: Internet Explorer since 6 sp1 (source, source) Firefox since 2.0.0.5 (source) Opera since 9.5 (possibly earlier) (source) Safari since 4 (source) Chrome since 1.0.154 (source)
What does it really do? It allows third parties to link to a messed-up version of your site. It kicks in when [a few conditions are met and] it sees a string in the query submission that also exists verbatim in the page, and which it thinks might be dangerous. It assumes that if <script>something()</script> … Read more
Just formatting it for readability will clarify a lot: set ansi_warnings off DECLARE @T VARCHAR(255), @C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME, c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in (‘nvarchar’,’varchar’,’ntext’,’text’) and c.CHARACTER_MAXIMUM_LENGTH > 30 and t.table_name = c.table_name and t.table_type=”BASE TABLE” OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T, @C WHILE(@@FETCH_STATUS=0) BEGIN … Read more
If this.au is somehow modified, it might contain something like this: “><script src=”http://example.com/evilScript.js”></script><span class=” That’ll mess up your HTML and inject a script: <a class=”quiz-au” data-src=””><script src=”http://example.com/evilScript.js”></script><span class=””><span class=”quiz-au-icon”></span>Click to play</a> If you use DOM manipulation to set the src attribute, the script (or whatever other XSS you use) won’t be executed, as it’ll be … Read more