background preloader

XSS & security

Facebook Twitter

Penetration Testing in the Real World - Part 1. YouTube. YouTube. YouTube. YouTube. OWASP Zed Attack Proxy Project. Involvement in the development of ZAP is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help: Feature Requests Please raise new feature requests as enhancement requests here: If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly. Feedback Please use the zaproxy-users Google Group for feedback: What do like? Log issues Have you had a problem using ZAP? If so and its not already been logged then please report it Localization Are you fluent in another language?

You can use Crowdin to do that! Development If you fancy having a go at adding functionality to ZAP then please get in touch via the zaproxy-develop Google Group. Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security! Tutorial http splitting attack (Owasp webgoat) Http splitting is a website attack. It involves an injection of a Http request into a form to force the target server to return two answers instead of one. It is possible due to the redirection of a request (code 3xx, "set-cookie" or "Location") without checking illegal characters.

This article describes this attack and the Owasp WebGoat training platform.A french version of this article is also available.In a normal operation, each client sends an Http request, and the server responds. With an http splitting attack, an attacker fills the form with malformed datas (textField). This technique allows: cache poisoning the attacker sends two requests, a first malformed one and a second valid one. Next generation phishing This is a special case of the previous cache poisoning technique.

Webpage hijacking The next step of attacks is the hijacking of webpages containing user datas, when a (not vulnerable) proxy is placed between the vulnerable server and the client. Why %0d%0a? Coucou. XSS (Cross Site Scripting) Prevention Cheat Sheet. Last revision (mm/dd/yy): 04/7/2014 This article provides a simple positive model for preventing XSS using output escaping/encoding properly. While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack. This article does not explore the technical or business impact of XSS.

Suffice it to say that it can lead to an attacker gaining the ability to do anything a victim can do through their browser. Both reflected and stored XSS can be addressed by performing the appropriate validation and escaping on the server-side. For a cheatsheet on the attack vectors related to XSS, please refer to the XSS Filter Evasion Cheat Sheet. Before reading this cheatsheet, it is important to have a fundamental understanding of Injection Theory. A Positive XSS Prevention Model This article treats an HTML page like a template, with slots where a developer is allowed to put untrusted data. Why Can't I Just HTML Entity Encode Untrusted Data?

There's more to HTML escaping than &, <, >, and " A few days ago I tweeted: If I had a dollar for every HTML escaper that only escapes &, <, >, and ", I'd have $0. Because my account would've been pwned via XSS. " This was exaggeration for effect—there aren’t many cases where a simple XSS injection could actually empty a bank account—but I wanted to make a point.

By some coincidence, I’ve found myself working with various open source projects recently that take a half-assed approach to HTML escaping. It’s something that tends to be implemented as an afterthought, which is unfortunate because it can be critical for the security of users of these projects. I won’t name any names in this post (pull requests are forthcoming), but I will explain some of the common problems I’ve seen, why they’re problems, and what can be done to fix them. This post is not an introduction to HTML escaping. Note that this post only discusses escaping, which is something entirely different (and far less complicated) than sanitizing.

Escaping < and > isn’t enough.