search

OWASP / owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
https://owasp.org/www-project-java-encoder/
BSD 3-Clause "New" or "Revised" License
492 stars 111 forks source link

DOM XSS - Documentation #13

Closed ghost closed 6 years ago

ghost commented 6 years ago

I think we need to make clear somewhere in the documentation clear that customers need to take additional steps for preventing DOM based XSS when using this library. Current documentation says about how to encode in direct CSS/HTML contexts but does not talk about how to encode when inserting Untrusted Data into HTML Subcontext within the Execution Context.

There are many such examples in [1] and I think its worth it to make a note of it somewhere in the documentation of this document.

[1] https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_then_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_HTML_Subcontext_within_the_Execution_Context

jmanico commented 6 years ago

This library is for encoding only. It does not do HTML sanitization. Also, DOM XSS is best defended against buy using safe JS API’s like .textContent (not escaping). You also need CSP. You should also consider HTTPOnly cookies. And the X-XSS-Protection header.

So we’re not trying to address any of those other defenses; just encoding.

Where do you propose we make it (more) clear this is for encoding only?

Aloha, — Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805

On Mar 29, 2018, at 12:44 PM, vikxcoder notifications@github.com wrote:

I think we need to make clear somewhere in the documentation clear that customers need to take additional steps for preventing DOM based XSS when using this library. Current documentation says about how to encode in direct CSS/HTML contexts but does not talk about how to encode when inserting Untrusted Data into HTML Subcontext within the Execution Context.

There are many such examples in [1] and I think its worth it to make a note of it somewhere in the documentation of this document.

[1] https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_then_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_HTML_Subcontext_within_the_Execution_Context

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

ghost commented 6 years ago

Yup, I get that.

I am just thinking that people would assume that using this library properly (ie.., using right encoding function) would help them in mitigating against all sorts of XSS attacks including DOM. In fact, home page [1] says - "This project will help Java web developers defend against Cross Site Scripting!". Even you use all the context sensitive functions correctly, you might still be vulnerable to XSS according to OWASP DOM based prevention wiki as we need to encode for HTML first and then for JS next for few situations. I propose we make this clear either on the homepage.

[1] https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

jmanico commented 6 years ago

I’ll add some notes to the wiki about this topic over the weekend. Good call.

Aloha,

Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805

On Mar 29, 2018, at 2:01 PM, vikxcoder notifications@github.com wrote:

Yup, I get that.

I am just thinking that people would assume that using this library properly (ie.., using right encoding function) would help them in mitigating against all sorts of XSS attacks including DOM. In fact, home page [1] says - "This project will help Java web developers defend against Cross Site Scripting!". Even you use all the context sensitive functions correctly, you might still be vulnerable to XSS according to OWASP DOM based prevention wiki as we need to encode for HTML first and then for JS next for few situations. I propose we make this clear either on the homepage.

[1] https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

jmanico commented 6 years ago

Warning has been added!

https://www.owasp.org/index.php?title=OWASP_Java_Encoder_Project&type=revision&diff=239490&oldid=236044

On 3/29/18 10:01 PM, vikxcoder wrote:

Yup, I get that.

I am just thinking that people would assume that using this library properly (ie.., using right encoding function) would help them in mitigating against all sorts of XSS attacks including DOM. In fact, home page [1] says - "This project will help Java web developers defend against Cross Site Scripting!". Even you use all the context sensitive functions correctly, you might still be vulnerable to XSS according to OWASP DOM based prevention wiki as we need to encode for HTML first and then for JS next for few situations. I propose we make this clear either on the homepage.

[1] https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/OWASP/owasp-java-encoder/issues/13#issuecomment-377371017, or mute the thread https://github.com/notifications/unsubscribe-auth/AAgcCaDwxECGgbWfGaSlr2VG_CanyZKYks5tjUuQgaJpZM4TA4fa.

jmanico commented 6 years ago

Assuming the warning is enough, I'm closing this out for now.