Measures to prevent XSS vulnerability (like Twitter's one a few days before)

后端 未结 3 1189
离开以前
离开以前 2021-02-09 14:37

Even famous sites like Twitter are suffering from XSS vulnerability, what should we do to prevent this kind of attack?

3条回答
  •  时光说笑
    2021-02-09 15:13

    The #1 Thing you can do is set your cookies to HTTP Only ... which at least protects against session cookie hijacking. Like someone stealing your cookie when you are likely admin of your own site.

    The rest comes down to validating all user input.

    • RULE #0 - Never Insert Untrusted Data Except in Allowed Locations
    • RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
    • RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
    • RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript Data Values
    • RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property Values
    • RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Attributes

    Very lengthy subject discussed in detail here:

    http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

    http://www.owasp.org/index.php/Cross_site_scripting

    XSS is only one of many exploits and every web dev should learn the top 10 OWASP by heart imho

    http://www.owasp.org/index.php/Top_10_2007

提交回复
热议问题