XSS Attacks

code analysis

Code Example:
$name = $_GET["name"];
echo "Welcome $name"; // Noncompliant
Compliant Solution:
$name = $_GET["name"];
$safename = htmlspecialchars($name);
echo "Welcome $safename";
Noncompliant Code Example :templates/xss_shared.html<!doctype html>
<title>Hello from Flask</title>
{% if name %}
<h1>Hello {{ name }}!</h1>
{% else %}
<h1>Hello, World!</h1>
{% endif %}
xss.py@xss.route('/insecure/no_template_engine_replace', methods =['GET'])
def no_template_engine_replace():
param = request.args.get('param', 'not set')
html = open('templates/xss_shared.html').read()
response = make_response(html.replace('{{ name }}', param)) # Noncompliant: param is not sanitized
return response
compliant Solution:templates/xss_shared.html<!doctype html>
<title>Hello from Flask</title>
{% if name %}
<h1>Hello {{ name }}!</h1>
{% else %}
<h1>Hello, World!</h1>
{% endif %}
xss.py@xss.route('/secure/no_template_engine_sanitized_Markup_escape', methods =['GET'])
def no_template_engine_sanitized_Markup_escape():
param = request.args.get('param', 'not set')
param = Markup.escape(param) html = open('templates/xss_shared.html').read()
response = make_response(html.replace('{{ name }}', param )) # Compliant: 'param' is sanitized by Markup.escape
return response
Noncompliant Code Example:protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String name = req.getParameter("name");
PrintWriter out = resp.getWriter();
out.write("Hello " + name); // Noncompliant
}
Compliant Solution:protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String name = req.getParameter("name");
String encodedName = org.owasp.encoder.Encode.forHtml(name);
PrintWriter out = resp.getWriter();
out.write("Hello " + encodedName);
}

This site explains the vulnerability in detail with challenges

XSS Bug Bounty Reports

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Golang Installation on Ubuntu

The Long-Awaited Launch of the Dvision World — “Open Beta Test”

Putting our money where our mouth is

Possibilities of mobile application S-Wallet

Wordpress Alternative in 2019 | Python is Darling of Web Development

JWT Authorization with Ruby on Rails API and Redux

Hack Reactor W2D2

Data Interchange Techniques for Web Applications

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Gad

Ahmed Gad

More from Medium

Cross site scripting | xss explain(PORTSWIGGER solve)

Mutation XSS

Cross Site Scripting (XSS) for Dummies