Welcome to Scribd!

Xss Cheat Sheet

Uploaded by

0% found this document useful (0 votes)

83 views2 pages

"> alert(' '); Some exploit strings for testing HTML attributes Node namest JSON Attributes HTML tags. - Allow all input - encode all output do not flter or encode input that gets stored but always protect the user on output. - Never do it yourself Never write the encoding/fltering methods yourself.

Original Description:

Copyright

Available Formats

PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

0% found this document useful (0 votes)

83 views2 pages

Xss Cheat Sheet

Uploaded by

Rodry Mmni

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

Jump to Page

You are on page 1of 2

Search inside document

Examples

Example API usages for the most common contexts

<%
String title = request.getParameter(title);
String alertText = request.getParameter(alertText);
String link = request.getParameter(link);
String fontSize = request.getParameter(fontSize);
String className = request.getParameter(className);
XSSAPI myXssAPI = xssAPI.getRequestSpecifcAPI(request);
%>
<%@ include fle=/libs/foundation/global.jsp %>
<html>
<head><title><%= xssAPI.encodeForHTML(title); %></title></head>
<body>
<p><%= xssAPI.flterHTML(Text with legitimate <b>HTML</b> Tags); %>
</p>
<font size=<%= xssAPI.getValidInteger(fontSize); %>>
<a href=<%= myXssAPI.getValidHref(link) %> >click me</a>
</font>
<span class=<%= xssAPI.encodeForHTMLAttr(className); %>>
<cq:text property=jcr:description tagName=p escapeXml=true>
</span>
<script>alert(<%= xssAPI.encodeForJSString(alertText); %>);
</script>
</body>
</html>
Some exploit strings for testing
HTML attributes
Node namest
JSON Attributes
HTML tags
2013 Adobe Systems, Incorporated.
><script>alert(23);</script>
><img src=bogus onError=alert(23)>
</script><script>alert(23);</script>
See also: OWASP XSS Filter Evasion Cheat Sheet
};alert(23);a={a:
CQ/GRANITE ENGINEERING
XSS Cheat Sheet
How to get the XSSAPI Service?
Philosophy
<%@ include fle=/libs/foundation/global.jsp %>
<title><%= xssAPI.encodeForHTML(title); %></title>
import com.adobe.granite.xss.XSSAPI;

public class MyClass {
private void myFunction(ResourceResolver resourceResolver) {
XSSAPI xssAPI = resourceResolver.adaptTo(XSSAPI.Class);
}
}
Java component
Java
JSP
import com.adobe.granite.xss.XSSAPI;
@Reference
private XSSAPI xssAPI;
- Allow all input - Encode all output
Do not flter or encode input that gets stored but always protect the user on output.
- Encode at the very end
Encode the output-statement itself not intermediate values, so it is always obvious that an output
statement is not dangerous, and you know you are encoding for the right context.
- Dont think too much
Encode the content no matter where it is coming from. Your code might be copied or included, and the
ACLs on the property might change.
- Never do it yourself
Never write the encoding/fltering methods yourself. XSS encoding is very diffcult and error prone. If
something is missing in the library, please fle a bug.
- Prefer a validator to an encoder
Some situations, such as href and src attributes, MUST use a validator
Taglib
Taglib
<cq:text property=jcr:title tagName=h2 escapeXml=true>
// Filter a string using the AntiSamy library to allow certain tags
public String flterHTML(String source);
// Use one of these to get an XSSAPI suitable for validating URLs
public XSSAPI getRequestSpecifcAPI(SlingHttpServletRequest request);
public XSSAPI getResourceResolverSpecifcAPI(ResourceResolver resolver);
Filters
JCR based URL mapping
// Encode string to use inside an HTML tag
public String encodeForHTML(String source);

// Encode string to use inside an HTML attribute
public String encodeForHTMLAttr(String source);

// Encode string to use inside an XML tag
public String encodeForXML(String source);

// Encode string to use inside an XML attribute
public String encodeForXMLAttr(String source);

// Encode string to use as a JavaScript string
public String encodeForJSString(String source);
Encoders
// Get a valid dimension (e.g. an image width parameter)
public String getValidDimension(String dimension, String defaultValue);

// Get a valid URL (Needs request-/resourceresolver specifc API, see below)
public String getValidHref(String url);

// Get a valid integer from a string
public Integer getValidInteger(String integer, int defaultValue);

// Get a valid long from a string
public Long getValidLong(String long, long defaultValue);

// Validate a Javascript token.
// The value must be either a single identifer, a literal number, or a literal string.
public String getValidJSToken(String token, String defaultValue);
Validators
XSSAPI: Methods
2013 Adobe Systems, Incorporated.

Plastic Properties Handbook
Document15 pages
Plastic Properties Handbook
guilloteARG
No ratings yet
Mecha World Compendium Playbooks BW
Document12 pages
Mecha World Compendium Playbooks BW
Robson Alves Maciel
No ratings yet
Sql Plsql Oracle
From Everand
Sql Plsql Oracle
Andrew Igla
No ratings yet
Java Cheatsheet
Document24 pages
Java Cheatsheet
A Sharmila
No ratings yet
Coaxial Cable Attenuation Chart
Document6 pages
Coaxial Cable Attenuation Chart
Nam Pham
No ratings yet
Object Oriented Programming in Java: Qasim Ali
Document204 pages
Object Oriented Programming in Java: Qasim Ali
maria nishan
No ratings yet
Hibernate Tool
Document50 pages
Hibernate Tool
Arobinda Bachhar
No ratings yet
Multimedia Messaging Service Center (MMSC) V 2.6
Document30 pages
Multimedia Messaging Service Center (MMSC) V 2.6
omjaijagdish.rai
No ratings yet
Tuma Research Manual
Document57 pages
Tuma Research Manual
Kashinde Learner Centered Mandari
100% (1)
Implementing Event Sourcing With Axon and Spring Boot
Document6 pages
Implementing Event Sourcing With Axon and Spring Boot
Pappu Khan
No ratings yet
OOCUsingJava Lab Guide V3
Document94 pages
OOCUsingJava Lab Guide V3
rdfd4545454
No ratings yet
Learn Java - String Methods Cheatsheet - Codecademy PDF
Document4 pages
Learn Java - String Methods Cheatsheet - Codecademy PDF
abhi yadav
No ratings yet
Tech Bingo! : Aliev@
Document3 pages
Tech Bingo! : Aliev@
Rauf Aliev
No ratings yet
Student Controller
Document24 pages
Student Controller
Muhammad Fraz
No ratings yet
Jonathan Livingston Seagull - Richard Bach - (SAW000) PDF
Document39 pages
Jonathan Livingston Seagull - Richard Bach - (SAW000) PDF
Adrià Sonet
No ratings yet
Spring & Struts & JSP Tag
Document88 pages
Spring & Struts & JSP Tag
Viet Phu Nguyen
No ratings yet
OWASP Code Review 2007 RC2 - Version For Print
Document145 pages
OWASP Code Review 2007 RC2 - Version For Print
aml_al3'd
No ratings yet
Verify Element Present or Not:: Step 1) Convert Web Driver Object To Takescreenshot
Document12 pages
Verify Element Present or Not:: Step 1) Convert Web Driver Object To Takescreenshot
sanket
No ratings yet
12 Spring Boot Rest Crud With Spring Data Jpa
Document94 pages
12 Spring Boot Rest Crud With Spring Data Jpa
Taseen
No ratings yet
Spring Boot Reference
Document377 pages
Spring Boot Reference
Essidik Eddoukali
No ratings yet
Re Factoring
Document20 pages
Re Factoring
أسماء وادي
No ratings yet
R&D Doc For ShipmentAPI
Document8 pages
R&D Doc For ShipmentAPI
varinder8
No ratings yet
Spring Security Ramesh Draft2
Document10 pages
Spring Security Ramesh Draft2
Sanjeev Sharma
No ratings yet
Java Coding Rules
Document12 pages
Java Coding Rules
Krishna Prasad
100% (1)
Java Cheatsheet
Document4 pages
Java Cheatsheet
Anonymous uq2CSm2T
No ratings yet
Java and Caching: by Martin Nad
Document20 pages
Java and Caching: by Martin Nad
martin nad
100% (1)
How To Write Clean Java Code PDF
Document1 page
How To Write Clean Java Code PDF
Yaegar Wain
No ratings yet
Java Coding Standards
Document27 pages
Java Coding Standards
venkateshdorai
No ratings yet
Hibernate Tutorial - Odt
Document75 pages
Hibernate Tutorial - Odt
boyong
No ratings yet
Project Quality Plan (JFJS-788)
Document18 pages
Project Quality Plan (JFJS-788)
momin
No ratings yet
Building Websites with VB.NET and DotNetNuke 4
From Everand
Building Websites with VB.NET and DotNetNuke 4
Daniel N. Egan
Rating: 1 out of 5 stars
1/5 (1)
Java Coding Standards
Document3 pages
Java Coding Standards
raghavi_26
No ratings yet
Conducting Focus Groups
Document4 pages
Conducting Focus Groups
Oxfam
100% (1)
TERASOLUNAServer Framework For Java Development Guideline
Document2,321 pages
TERASOLUNAServer Framework For Java Development Guideline
tehnic1
No ratings yet
Lesson05.22 - Java Common Coding Defects
Document31 pages
Lesson05.22 - Java Common Coding Defects
Bang Trinh
50% (2)
01 JWT Authentication in Spring Boot 3 With Spring Security 6
Document38 pages
01 JWT Authentication in Spring Boot 3 With Spring Security 6
Wowebook Pro
No ratings yet
Spring Framework For All
Document157 pages
Spring Framework For All
Ariel Cupertino
No ratings yet
Generating Userid and Password in Java
Document2 pages
Generating Userid and Password in Java
Radheshyam Nayak
No ratings yet
Java Faq Material
Document86 pages
Java Faq Material
rajesh7java
No ratings yet
Spring Annotations: Become A Spring Guru
Document8 pages
Spring Annotations: Become A Spring Guru
Razz Kumar
No ratings yet
Java - Exceptions: Orexceptionalevent
Document11 pages
Java - Exceptions: Orexceptionalevent
Vinod Kumar
No ratings yet
Zero Effort Spring:: An Intro To Spring Boot
Document25 pages
Zero Effort Spring:: An Intro To Spring Boot
Henda Boujneh Ben Driss
No ratings yet
Vtu 4th Sem Design and Analysis of Algorithm Observation
Document96 pages
Vtu 4th Sem Design and Analysis of Algorithm Observation
bhargav dancer
No ratings yet
Objectives:: Intro To Web Development
Document43 pages
Objectives:: Intro To Web Development
Juan Camilo LEAL ROJAS
100% (1)
Spring AOP: Aspect Oriented Programming
Document18 pages
Spring AOP: Aspect Oriented Programming
Ankit Jain
No ratings yet
Building REST Services With Spring
Document46 pages
Building REST Services With Spring
Pham Van Thuan
No ratings yet
Jax-Rs Hello World With Resteasy
Document25 pages
Jax-Rs Hello World With Resteasy
Punit Batra
No ratings yet
K V Rao Adv Java PDF
Document151 pages
K V Rao Adv Java PDF
Feleke Afework
No ratings yet
Spring 3 JavaConfig Example
Document8 pages
Spring 3 JavaConfig Example
Bala Kulandai
No ratings yet
Cookies in Servlet
Document8 pages
Cookies in Servlet
Shobha Kumar
No ratings yet
Spring MVC: Model - View
Document33 pages
Spring MVC: Model - View
Nitish Yadav
No ratings yet
Java Coding Standard: Revision: March 15, 2002
Document39 pages
Java Coding Standard: Revision: March 15, 2002
yjenith
No ratings yet
Spring MVC Tutorial
Document18 pages
Spring MVC Tutorial
KarthikhaKV
No ratings yet
AOP With Spring Framework
Document2 pages
AOP With Spring Framework
postman demon
No ratings yet
Hibernate
Document25 pages
Hibernate
Prashanth Sagar
No ratings yet
Springapplication Springbootapplication: Import I Mport
Document25 pages
Springapplication Springbootapplication: Import I Mport
ayush
No ratings yet
Programming. Javascript Supports Oop With Prototypal Inheritance. Good To Hear
Document19 pages
Programming. Javascript Supports Oop With Prototypal Inheritance. Good To Hear
dhaval khunt
No ratings yet
Notes - JWT + Spring Security Overview
Document8 pages
Notes - JWT + Spring Security Overview
Khôi Nguyên Huỳnh Kỳ
No ratings yet
Webservice Interview Questions
Document5 pages
Webservice Interview Questions
Waqar Ahmed
No ratings yet
JAVA 8 Features
Document9 pages
JAVA 8 Features
ss
No ratings yet
Spring Interview Questions and Answers - Spring Framework Training - Edureka
Document21 pages
Spring Interview Questions and Answers - Spring Framework Training - Edureka
satish.sathya.a2012
No ratings yet
Java 8 Support in Hibernate 5 - Thoughts On Java Library PDF
Document17 pages
Java 8 Support in Hibernate 5 - Thoughts On Java Library PDF
Ravi
No ratings yet
Spring
Document26 pages
Spring
Sourabh Jain
No ratings yet
Hibernate Interview Questions and Answers: 1.what Is ORM ?
Document34 pages
Hibernate Interview Questions and Answers: 1.what Is ORM ?
nada abdelrahman
No ratings yet
Exception Handling 1
Document32 pages
Exception Handling 1
Manoj Kavedia
No ratings yet
Core Java-2
Document216 pages
Core Java-2
Saumya Swain
No ratings yet
Modern Web Applications with Next.JS: Learn Advanced Techniques to Build and Deploy Modern, Scalable and Production Ready React Applications with Next.JS
From Everand
Modern Web Applications with Next.JS: Learn Advanced Techniques to Build and Deploy Modern, Scalable and Production Ready React Applications with Next.JS
Shubham Jain
No ratings yet
Design of Reinforced Cement Concrete Elements
Document14 pages
Design of Reinforced Cement Concrete Elements
Sudeesh M S
No ratings yet
Precursor Effects of Citric Acid and Citrates On Zno Crystal Formation
Document7 pages
Precursor Effects of Citric Acid and Citrates On Zno Crystal Formation
Alv R Gracia
No ratings yet
Create A Visual Doppler
Document1 page
Create A Visual Doppler
Rahul Gandhi
No ratings yet
ISA InTech Journal - April 2021
Document50 pages
ISA InTech Journal - April 2021
Ike Edmond
No ratings yet
(Sat) - 072023
Document7 pages
(Sat) - 072023
DhananjayPatel
No ratings yet
Quotation of Suny PDF
Document5 pages
Quotation of Suny PDF
Haider King
No ratings yet
Maya Deren Paper
Document9 pages
Maya Deren Paper
quietinstrumentals
No ratings yet
Bcom (HNRS) Project Final Year University of Calcutta (2018)
Document50 pages
Bcom (HNRS) Project Final Year University of Calcutta (2018)
Balaji
100% (1)
Img 20150510 0001
Document2 pages
Img 20150510 0001
api-284663984
No ratings yet
IT Level 4 COC
Document2 pages
IT Level 4 COC
fikru tesefaye
0% (1)
BBL PR Centralizer Rig Crew Handout (R1.1 2-20-19)
Document2 pages
BBL PR Centralizer Rig Crew Handout (R1.1 2-20-19)
Nina
No ratings yet
SPC FD 00 G00 Part 03 of 12 Division 06 07
Document236 pages
SPC FD 00 G00 Part 03 of 12 Division 06 07
marco.w.orascom
No ratings yet
Manuel SYL233 700 E
Document2 pages
Manuel SYL233 700 E
Siddiqui Sarfaraz
No ratings yet
Universitas Tidar: Fakultas Keguruan Dan Ilmu Pendidikan
Document7 pages
Universitas Tidar: Fakultas Keguruan Dan Ilmu Pendidikan
Theresia Calcutaa Wil
No ratings yet
A Content Analysis of Seabank
Document13 pages
A Content Analysis of Seabank
Marielet Dela Paz
No ratings yet
Direction
Document1 page
Direction
Jessica Bacani
No ratings yet
Ultracold Atoms Slides
Document49 pages
Ultracold Atoms Slides
laubbaum
No ratings yet
Galgotias University Uttar Pradesh School of Computing Science & Engineering B.Tech. (CSE) 2018-19 Semester Wise Breakup of Courses
Document2 pages
Galgotias University Uttar Pradesh School of Computing Science & Engineering B.Tech. (CSE) 2018-19 Semester Wise Breakup of Courses
Rohit Singh Bhati
No ratings yet
Very Narrow Aisle MTC Turret Truck
Document6 pages
Very Narrow Aisle MTC Turret Truck
firdaushalam96
No ratings yet
Smartfind E5 g5 User Manual
Document49 pages
Smartfind E5 g5 User Manual
drewlio
No ratings yet
Introduction To Ethics
Document18 pages
Introduction To Ethics
Marielle Guerra04
No ratings yet
The Ovation E-Amp: A 180 W High-Fidelity Audio Power Amplifier
Document61 pages
The Ovation E-Amp: A 180 W High-Fidelity Audio Power Amplifier
Nini Farribas
100% (1)