Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V5 - confusing/duplicate so called "XSS" requirements #524

Closed
elarlang opened this issue Feb 22, 2019 · 1 comment
Closed

V5 - confusing/duplicate so called "XSS" requirements #524

elarlang opened this issue Feb 22, 2019 · 1 comment
Assignees
@vanderaj
Milestone
4.0

Comments

@elarlang
Copy link
Collaborator

requirements

  • 5.3.2 Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specifically for HTML values, HTML attributes, URL Parameters, HTTP headers, SMTP, and others as the context requires.
  • 5.3.4 Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS.
  • 5.3.5 Verify that any user-supplied data included in the browser's DOM or web views protects against JavaScript code execution and XSS attacks.
  • 5.2.6 Verify that where potentially untrusted data is copied one DOM context to another, the transfer uses safe JavaScript methods, such as using innerText or JQuery .val to ensure the application is not susceptible to DOM Cross-Site Scripting (XSS) attacks.

problems

  • not clear what is the reason for 5.3.4 and 5.3.5. What those give extra and are not covered by 5.3.2 and 5.2.6?
  • based on my pen-test experience, javascript injection is one of the most widespread problem in this category and it's worth mention javascript separately in 5.3.2 or (even better) to have separate point for javascript syntax - to make clear statement for developers thate HTML injection and JavaScript injection are different problems and there is no such magic thing like XSS security hole and just one way to fix it.

related issues

recommendation

  • merge 5.3.4 and 5.3.5 to 5.3.2 and 5.2.6 OR make requirement text clearly understandable - what is difference between those requirements
  • mention javascript in 5.3.2 or make additional requirement for javascript escaping/encoding (as there are separate requirement for other syntaxe - SQL, LDAP, os cmd, path, XML, ... )
@elarlang elarlang mentioned this issue Feb 22, 2019
Closed
@vanderaj vanderaj added this to the 4.0 milestone Feb 23, 2019
@vanderaj vanderaj added the QA label Feb 23, 2019
@vanderaj vanderaj assigned vanderaj and unassigned vanderaj Feb 23, 2019
@elarlang elarlang mentioned this issue Feb 26, 2019
Closed
vanderaj added a commit that referenced this issue Feb 26, 2019
@vanderaj
Resolve #579
bc190da 
Refers #524
@vanderaj
Copy link
Member

@elarlang Please review the various changes in here, 449 and 579, and see if it now is more about JavaScript in 5.2.6, and less duplication of XSS controls.

@vanderaj vanderaj self-assigned this Feb 26, 2019
@elarlang elarlang mentioned this issue Feb 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vanderaj vanderaj

Labels
None yet
Projects
None yet
Milestone
4.0
Development

No branches or pull requests
2 participants
@vanderaj @elarlang