[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks

From: Stephen de Vries <stephen@xxxxxxxxxxxx>
Subject: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Date: Tue, 23 Jan 2007 18:04:16 +0700


Hi Anurag,

You may be interested in Jeff Williams' article on the OWASP Java project which deals with exactly this issue, but uses a different approach:

1. Canonicalize the data 2. Apply a positive validation filter (i.e. a white list) 3. Perform HTML entity encoding on any special characters still left in the input

http://www.owasp.org/index.php/ How_to_add_validation_logic_to_HttpServletRequest

Regards,
Stephen

On 23 Jan 2007, at 17:25, anurag.agarwal@xxxxxxxxx wrote:

The source code is uploaded to the page. You can either view it at http://myappsecurity.blogspot.com/2007/01/xss-filter-to-protect- from-xss-attacks.html or download the java file at http:// www.attacklabs.com/xssfilter/XSSFilter.java
The url to test this filter is http://www.attacklabs.com/xssfilter/
Cheers,
Anurag Agarwal
SEEC - An application security search engine
Web: www.attacklabs.com , www.myappsecurity.com
Email : anurag.agarwal@xxxxxxxxx
Blog : http://myappsecurity.blogspot.com
----- Original Message ---- From: Amit Klein <aksecurity@xxxxxxxxx> To: Anurag Agarwal <anurag.agarwal@xxxxxxxxx> Cc: WASC Forum <websecurity@xxxxxxxxxxxxx>; "webappsec @OWASP" <webappsec@xxxxxxxxxxxxxxx> Sent: Monday, January 22, 2007 11:50:06 PM Subject: Re: [Webappsec] xss filter to protect from xss attacks

Anurag Agarwal wrote: > I have created a xss filter to protect from xss attacks. Though i have > filtered only for 8 characters but i was able to test against all the > attacks mentioned in the RSnake's cheat sheet. Appscan was not able to > detect any xss attacks on it. I request the application security > community to help test this filter. 90% i am sure that you wont be > able to perform any xss attack on it, the rest 10% i will find out > after the feedback from the community. For the curious mind, it is > written in java If this is an open source project - then where is the source code? if it's not - then why should we bother testing it?
_______________________________________________
Webappsec mailing list
Webappsec@xxxxxxxxxxxxxxx
http://lists.owasp.org/mailman/listinfo/webappsec


--
Stephen de Vries
Corsaire Ltd
E-mail: stephen@xxxxxxxxxxxx
Tel:	+44 1483 226014
Fax: 	+44 1483 226068
Web: 	http://www.corsaire.com

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
  - From: anurag . agarwal

Prev by Date: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Next by Date: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Previous by thread: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Next by thread: [WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site