• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Are the following characters XSS vulnerable?

 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
We are trying to implement security in our application, wherein we need to encode and decode the user inputs.

So can anybody please provide me a list of all the characters that are disallowed or dangerous, that I need to encode?

For eg. for "<" character we use <, for ">" character we use >

so can anybody please tell me if the following mentioned characters are XSS vulnerable, and if yes, then how to encode them?

1) ! - exclamation mark - characters for additional command execution

2) - hyphen - can be used in database queries, and the creation of negative numbers.

3) /\ = The forward-slash and back-slash are often used for faking paths and queries

4) { } [ ] = Curly brackets and square brackets are often used as script, program or regex expressions.

5) *(asterisk) = Often used in database queries for “all”.

eg. <script>x=""*alert(1)*"";y=42;</script>

6) `(Grave accent) = If you need to use both double and single quotes you can use a grave accent(`) to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don't know about grave accents.



7) / (division or forward slash) -

<script>x=""/alert(1)/"";y=42;</script>

8) Bitwise “xor” operator: (^)


<script>x=""^alert(1)^"";y=42;</script>


9) Bitwise Left Shift (<<)

<script>x=""<<alert(1)<<"";y=42;</script>



10) Bitwise Right Shift (>>)

<script>x="">>alert(1)>>"";y=42;</script>



11) Bitwise Right Shift With Zeros

<script>x="">>>alert(1)>>>"";y=42;</script>



12) Ternary Conditional Expression

<script>x=""?alert(1):"";y=42;</script>


Please let me know if I need to encode these characters too. I am using Java for development.

Thanks
 
Ranch Hand
Posts: 820
IntelliJ IDE VI Editor Tomcat Server
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Best practice is to not roll your own. This is possible, but you are likely to miss something. Instead, use a well tested library such as the OWASP ESAPI.

The following page covers a lot of potential pitfalls in rolling your own and also recommends using ESAPI:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic