1. There are many web sites with third party plug-ins and scripts. However, prog
ID: 671563 • Letter: 1
Question
1. There are many web sites with third party plug-ins and scripts. However, programmers do not always know if they are safe. OWASP Top Ten is a project to identify web application security issues. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
2. Read
a. https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
b. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
c. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
3. What is cross site scripting and how can it be prevented?
4. List five things you can do to protect your web site based on OWASP. Cite your reference where you got the information on their site!
Explanation / Answer
3) cross site scripting:
How Cross-site Scripting works:
In order to run malicious JavaScript code in a victim’s browser, an attacker must first find a way to inject a payload into a web page that the victim visits. Of course, an attacker could use social engineering techniques to convince a user to visit a vulnerable page with an injected JavaScript payload.
In order for an XSS attack to take place the vulnerable website needs to directly include user input in its pages. An attacker can then insert a string that will be used within the web page and treated as code by the victim’s browser.
The following server-side pseudo-code is used to display the most recent comment on a web page.
print "<html>"
print "<h1>Most recent comment</h1>"
print database.latestComment
print "</html>"
The above script is simply printing out the latest comment from a comments database and printing the contents out to an HTML page, assuming that the comment printed out only consists of text.
Users visiting the web page will get served the following HTML page.
Types of Cross-site Scripting Attack:
There is no standard classification, but most of the experts classify XSS in these three flavors: non-persistent XSS, persistent XSS, and DOM-based XSS.
Problem: The underlying problem is that many Web pages display input that is not validated. If input is not validated, malicious script can be embedded within the input. If a server-side script then displays this non-validated input, the script runs on the browser as though the trusted site generated it.
Prevention: This section presents a few approaches to preventing cross-site scripting security attacks. Evaluate your specific situation to determine which techniques will work best for you. It is important to note that in all techniques, you are validating data that you receive from input and not your trusted script. Essentially, prevention means that you follow good coding practice by running sanity checks on your input to your routines.
The following list outlines the general approaches to prevent cross-site scripting attacks:
4) Protecting Your Website from Hackers with OWASP:
Site:https://www.barracuda.com/assets/docs/White_Papers/WAF_-_White_Paper_(Top_10_Biggest_Website_Threats).pdf
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.