| Brian Silverman | 8ab8a65 | 2015-09-21 17:49:11 -0400 | [diff] [blame] | 1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> |
| 2 | <html> |
| 3 | <head> |
| 4 | <title>Cross-Site Scripting Resources</title> |
| 5 | |
| 6 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> |
| 7 | <link href="designstyle.css" type="text/css" rel="stylesheet"> |
| 8 | <style type="text/css"> |
| 9 | <!-- |
| 10 | ol.bluelist li { |
| 11 | color: #3366ff; |
| 12 | font-family: sans-serif; |
| 13 | } |
| 14 | ol.bluelist li p { |
| 15 | color: #000; |
| 16 | font-family: "Times Roman", times, serif; |
| 17 | } |
| 18 | ul.blacklist li { |
| 19 | color: #000; |
| 20 | font-family: "Times Roman", times, serif; |
| 21 | } |
| 22 | //--> |
| 23 | </style> |
| 24 | </head> |
| 25 | <body> |
| 26 | |
| 27 | <h1> <a name="XSS_Resources"></a>Cross-Site Scripting Resources</h1> |
| 28 | <center><strong>Status: Current</strong> |
| 29 | <small>(as of 17 August 2006)</small></center> |
| 30 | <br> |
| 31 | |
| 32 | <p>Cross-Site Scripting (commonly abbreviated as XSS) is a security |
| 33 | issue that arises when an attacker can cause client-side script (such as |
| 34 | JavaScript) of his or her choosing to execute within another user's |
| 35 | browser in the context of a given web-site or web-application. This may |
| 36 | allow the attacker to steal that user's session cookies for the |
| 37 | web-application in question, or otherwise manipulate that user's session |
| 38 | context. |
| 39 | |
| 40 | <p>XSS vulnerabilities most often arise if a web-application renders |
| 41 | data that originated from an untrusted source (such as a query |
| 42 | parameter) in a HTML document without carefully validating or escaping |
| 43 | that data. |
| 44 | |
| 45 | <p>The following online resources provide further information on XSS |
| 46 | vulnerabilities and how to avoid them: |
| 47 | |
| 48 | <ul> |
| 49 | <li>The Open Web Application Security Project (OWASP) has an |
| 50 | <a |
| 51 | href="http://www.owasp.org/index.php/Cross_Site_Scripting">introductory |
| 52 | article</a> on XSS. |
| 53 | </li> |
| 54 | |
| 55 | <li>In addition, the OWASP's <a |
| 56 | href="http://www.owasp.org/index.php/Category:OWASP_Guide_Project">Guide to Building Secure Web |
| 57 | Applications and Web Services</a> and the <a |
| 58 | href="http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project">"Top |
| 59 | Ten" Vulnerabilities</a> include sections on XSS. |
| 60 | </li> |
| 61 | |
| 62 | <li>The CERT Coordination Center published <a |
| 63 | href="http://www.cert.org/tech_tips/malicious_code_mitigation.html">Understanding |
| 64 | Malicious Content Mitigation for Web Developers</a> and <a |
| 65 | href="http://www.cert.org/advisories/CA-2000-02.html">Advisory |
| 66 | CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests</a>. |
| 67 | |
| 68 | </li> |
| 69 | </ul> |
| 70 | </body> |
| 71 | </html> |