[WEB SECURITY] XSS filters
chris at lookout.net
Tue Jun 14 19:46:35 EDT 2005
Nothing specific, and you sound like you already know what's going on a bit.
I've never seen a good XSS filter that couldn't be bypassed in some way. So
my recommendations to you are generic and simple right now. Create some
centralized, reusable input validation routines and output sanitization
- whitelist instead of blacklist all input
- run all validaiton routines server-side, not client-side
- sanitize all output as safe URL or HTML encodings
From: dpw [mailto:dainw at fsr.com]
Sent: Tuesday, June 14, 2005 4:35 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] XSS filters
I am attempting to develop some XSS filters and am concerend that my
"homegrown" attempts wouldn't even begin to cover all of the bases - am
justifiably concerned that what I can find on XSS vulnerabilities on the web
is just the tip of the iceberg compared to what is not on the web...
Does anyone have any code / resource that can help to develop a more
comprehensive XSS filter? For what it's worth, I am developing for the ASP
Thanks in advance!
First Step Internet, L.L.C.
gnatures/www.fsr.com> www.fsr.com |
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity