XSS prevention in Java
How can I prevent XSS attacks in Java? Are there any good libraries for that? ...
xss
I think my PHP app is being session hijacked?
Hi there, I have a php site that lets registered users login (with a valid passord) and sets up a session based on their UserID. However I'm pretty sure thisis being hijacked and I've found "new" files on my server I didn't put there. My site cleans all user input for SQL injections and XSS but this keeps happening. Has anyone got any i...
Stealing Cookies with no user input?
I'm creating a static site generator with a dynamic admin backend for one user. The site accepts no user input. Does this mean that I am safe from attackers who are trying to steal my admin cookie? (there is no user input, so XSS and other methods don't work, right?) ...
getting web page data as json object?
I have a url, the data of which page i need as a json object. I ve tried xmlhttprequest and ajaxobject both but doesnt work. It doesnt even give a responseText when I give it as an alert Ill post both the code snippets here. url = http://mydomain.com:port/a/b/c AJAX : var ajaxRequest = new ajaxObject(URL); ajaxRequest.callback = funct...
PHP input sanitizer?
What are some good PHP html (input) sanitizers? Preferably, if something is built in - I'd like to us that. UPDATE: Per the request, via comments, input should not allow HTML (and obviously prevent XSS & SQL Injection, etc). ...
Best Practice: User generated HTML cleaning
I'm coding a WYSIWYG editor width designMode="on" on a iframe. The editor works fine and i store the code as is in the database. Before outputing the html i need to "clean" with php on the server-side to avoid cross-site-scripting and other scary things. Is there some sort of best practice on how to do this? What tags can be dangerous?...
Do I need to sanitize the callback parameter from a JSONP call?
I would like to offer a webservice via JSONP and was wondering, if I need to sanitize the value from the callback parameter. My current server side script looks like this currently (More or less. Code is in PHP, but could be anything really.): header("Content-type: application/javascript"); echo $_GET['callback'] . '(' . json_encode($d...
Best practice. Do I save html tags in DB or store the html entity value?
Hi Guys, I was wondering about which way i should do the following. I am using the tiny MCE wysiwyg editor which formats the users data with the right html tags. Now, i need to save this data entered into the editor into a database table. Should I encode the html tags to their corresponding entities when inserting into the DB, then w...
Is it possible to make XSS attacks through html comments with JSP code inside?
Hello! Is it true that following code adds a XSS vulnerability to some JSP page? <!-- <%=paramName%>=<%=request.getParameter(paramName)%><BR> --> It looks like a "leftover debug" and definitely should be removed from the code, but how dangerous is it? ...
XSS attack prevention
Hi, I'm developing a web app where users can response to blog entries. This is a security problem because they can send dangerous data that will be rendered to other users (and executed by javascript). They can't format the text they send. No "bold", no colors, no nothing. Just simple text. I came up with this regex to solve my problem...
How do I protect against cross-site scripting?
I am using php, mysql with smarty and I places where users can put comments and etc. I've already escaped characters before inserting into database for SQL Injection. What else do I need to do? ...
Can someone give me some basic XSS and sql injection scripts? (not what it seems)
I am testing out my scripts to see if they will prevent xss and sql injections. Can someone provide me with some basic but good scripts that would "hack" into my programs. I want to test my scripts before it goes online. EDIT: Thank you all for those links, they contain loads and loads of information. But for a beginner to security, is...
Sanitizing user input before adding it to the DOM in Javascript
I'm writing the JS for a chat application I'm working on in my free time, and I need to have HTML identifiers that change according to user submitted data. This is usually something conceptually shaky enough that I would not even attempt it, but I don't see myself having much of a choice this time. What I need to do then is to escape the...
PHP: I got hacked...
I just checked my site it suddenly jumps me to this site: xxxp://www1.re*******3.net/?p=p52dcWpkbG6HjsbIo216h3de0KCfaFbVoKDb2YmHWJjOxaCbkXp%2FWqyopHaYXsiaY2eRaGNpnFPVpJHaotahiaJ0WKrO1c%2Beb1qfnaSZdV%2FXlsndblaWpG9plmGQYWCcW5eakWppWKjKx6ChpqipbmdjpKjEjtDOoKOhY56n1pLWn1%2FZodXN02BdpqmikpVwZWpxZGxpcV%2FVoJajYmJkZ2hwlGGXaVbJkKC0q1eum5qimZxx...
session_start is clearing form fields
I have 2 pages: one with a form and one that prints PayPal button. 1st page has script that prints the form, validates it and when everything is OK redirects the user to the second page that prints out PayPal button. On both pages I use session_start() to prevent CSRF. (when the accidently get to the second page, they are redirected to t...
align WMD editor's preview HTML with server-side HTML validation (e.g. no embedded javascript)
There are many SO questions (e.g. here and here) about how to do server-side scrubbing of Markdown produced by the WMD editor to ensure the HTML generated doesn't contain malicious script, like this: <img onload="alert('haha');" src="http://www.google.com/intl/en_ALL/images/srpr/logo1w.png" /> But I didn't find a good way to plug ...
PHP Form Security With Referer
I'm putting together a site that will make itself available for user input. I was wondering if writing a function like: if(getenv("HTTP_REFERER") != 'http://www.myURL.com/submitArea'){ die('don\'t be an jerk, ruin your own site'); }else{ // continue with form processing } is enough to prevent cross site...
Payment gateways and XSS
Hi all, I'm working on a website which takes payment from a customer. I'm using Kohana 2.3.4 and have created a library to handle the payment gateway I use (www.eway.com.au). Basically I'm just using their sample code, copied into it's own class. Anyway, the code works fine and I can make payments, etc. The issue I have is when the pay...
How Do I Prevent a XSS Cross-Site Scripting Attack When Using jQueryUI Autocomplete
I am checking for XSS vulnerabilities in a web application I am developing. This Rails app uses the h method to sanitize HTML it generates. It does, however, make use of the jQueryUI autocomplete widget (new in latest release), where I don't have control over the generated HTML, and I see tags are not getting escaped there. The data f...
Using jQuery to disable CSS inheritance
Is there a way to use jQuery (or generic javascript) to disable CSS inheritance on a block level? For example, if I am pulling in an external resource via javascript, say pastie.org, they will have their own CSS that my CSS overrides. I would like to place the embed code into its own container that has CSS inheritance disabled. This is ...