OWASP has published a very well written XSS cheat sheet.
If you google “cross-site scripting”, most of what you’ll find is a simplistic view of the problem and why XSS is so bad. Unfortunately, articles that only point out problems don’t really offer guidance for the guys writing code. Our industry needs better, more proactive guidance about how to create secure designs and write secure code. The XSS cheat sheet fits the bill. By following positive advice, DEV has a better chance at preventing entire swarms of problems, rather than attempting to fix every individual instance and corner case.
My favorite part of the article is the section on why you can’t simply do HTML output escaping to fix *all* XSS issues. In my experience, this is what most people fail to get.
Comments 3
They also have the SQL Injection prevention cheat sheet now:
http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Fairly complete now I believe…
Posted 02 Apr 2009 at 10:14 pm ¶Romain: excellent, I didn’t know about it.
Posted 02 Apr 2009 at 11:03 pm ¶Actually, this makes me think that we should have this kind of information, for developers, at Cigital.
Posted 03 Apr 2009 at 2:33 pm ¶Let’s say, developers are using a given platform/framework/language combination and we would be allow to give them best practices related to their technology stack, not only general description (or publicizing a particular API like ESAPI/OWASP does)…
Post a Comment