XSS Street-Fight : The Only Rule Is There Are No Rules

Abstract

Attack: XSS • Attacker can send data through web applications that will execute code within the victim’s web browser • It is an interpreter attack against the web browser Application Defects: Improper Output Handling • Application does not properly apply contextual output encoding/escaping of user supplied data. Types: • Reflected, Stored and DOM Consequences: • Session Hijacking, Malware Installation, Fraud (CSRF). Remediation: Contextual Output Encoding • Must escape differently depending where data is displayed on the page − HTML, HTML Attribute, URL, JavaScript, CSS. Tomado del texto original Fecha de reseña: 14/12/2016