Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Are the following characters XSS vulnerable?

 
dinesh maddy
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
We are trying to implement security in our application, wherein we need to encode and decode the user inputs.

So can anybody please provide me a list of all the characters that are disallowed or dangerous, that I need to encode?

For eg. for "<" character we use <, for ">" character we use >

so can anybody please tell me if the following mentioned characters are XSS vulnerable, and if yes, then how to encode them?

1) ! - exclamation mark - characters for additional command execution

2) - hyphen - can be used in database queries, and the creation of negative numbers.

3) /\ = The forward-slash and back-slash are often used for faking paths and queries

4) { } [ ] = Curly brackets and square brackets are often used as script, program or regex expressions.

5) *(asterisk) = Often used in database queries for “all”.

eg. <script>x=""*alert(1)*"";y=42;</script>

6) `(Grave accent) = If you need to use both double and single quotes you can use a grave accent(`) to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don't know about grave accents.



7) / (division or forward slash) -

<script>x=""/alert(1)/"";y=42;</script>

8) Bitwise “xor” operator: (^)


<script>x=""^alert(1)^"";y=42;</script>


9) Bitwise Left Shift (<<)

<script>x=""<<alert(1)<<"";y=42;</script>



10) Bitwise Right Shift (>>)

<script>x="">>alert(1)>>"";y=42;</script>



11) Bitwise Right Shift With Zeros

<script>x="">>>alert(1)>>>"";y=42;</script>



12) Ternary Conditional Expression

<script>x=""?alert(1):"";y=42;</script>


Please let me know if I need to encode these characters too. I am using Java for development.

Thanks
 
Tim McGuire
Ranch Hand
Posts: 820
IntelliJ IDE Tomcat Server VI Editor
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Best practice is to not roll your own. This is possible, but you are likely to miss something. Instead, use a well tested library such as the OWASP ESAPI.

The following page covers a lot of potential pitfalls in rolling your own and also recommends using ESAPI:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic