How to begin fixing XSS hole in website
Question
I've never dealt with XSS before, but I just received a comment from a vistor that my website has XSS vulnerabilities.
He was nice enough to provide me with the string that activated a prompt box that displays the user's cookies. I have a lot code within this website and webapp, how do I find this and fix it? Where do I start?
2 answers
solution1
0 2013-06-18 09:35:36
OWASP also provided API to prevent this kind of attacks. Those API is written in several Programming languages.
You can download those API from here .
Why don't you go and download that API (in your preferred programming language) and use if for sanitizing the user input.
solution2
0 2013-06-18 09:40:45
One easy way to reduce (not stop) XSS vulnerabilities is to HTML encode all your output. You should also scrub the data that someone submits for XSS vulnerabilities. On the .NET platform you can use the antixss library, on PHP you could use strip_tags(), there should be something for whatever platform you're using but they're not going to be 100%. And check out the OWASP XSS Cheat Sheet at https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
XSS can be tricky, Stack Overflow, Gmail, Outlook Web Access all had XSS vulnerabilities in the past. But if you follow the cheat sheet for all your input and output you should be able to greatly reduce the problem. Search your code for any echo or response.write or
<?= ?>, <%= %>
After that move on to the input points, look for any Request.Form or $_GET or $_POST or however you're getting your data input.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.