[WEB SECURITY] Methods of protection against XSS

MustLive mustlive at websecurity.com.ua
Sun Dec 30 16:55:14 EST 2012


Hello participants of Mailing List.

On this week I've wrote two new articles. So I'll tell you briefly about my 
last publications about methods of protection against XSS. This topic should 
be interesting for you (especially for those, who haven't read them before). 
These methods also can be used for such task as isolation of web 
applications, as I've wrote earlier 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-December/008641.html)

In December 2011 I've made a series of articles about methods of defending 
against ClickJacking. And this year I've decided to make a series of 
articles about methods of defending against XSS attacks.

1. Protection against XSS with HttpOnly
http://websecurity.com.ua/6220/

In this article I've told about HttpOnly as a method of protecting against 
classic XSS attack on cookies stealing. Which is known since 2002, when 
Microsoft developed it for IE6 SP1. Wrote about HttpOnly pros and contras. 
Described its shortcomings, methods of bypassing and the list of browsers 
which support it.

2. Protection against XSS with JavaScript
http://websecurity.com.ua/6237/

In this article I've told about special JavaScript code as a method of 
protecting against classic XSS attack on cookies stealing. And also it can 
be used for protecting from other XSS attacks (for both of which I've 
presented JS codes). Which I've developed in the beginning of 2008. Wrote 
about its pros and contras. And compared it with HttpOnly (this JS method 
has many advantages comparing with it).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 






More information about the websecurity mailing list