diff --git a/skf/markdown/knowledge_base/3-knowledge_base--XSS_injection--.md b/skf/markdown/knowledge_base/3-knowledge_base--XSS_injection--.md index 41be2bcd5..01a1ec2d8 100755 --- a/skf/markdown/knowledge_base/3-knowledge_base--XSS_injection--.md +++ b/skf/markdown/knowledge_base/3-knowledge_base--XSS_injection--.md @@ -5,7 +5,12 @@ this data in the application background, these parameters should be escaped for code in order to prevent cross-site scripting injections. When an attacker gains the possibility to perform an XSS injection, he is given the opportunity to inject HTML and JavaScript code directly into the -application. This could lead to accounts being compromised by stealing session cookies or directly affect the operation of the target application. +application. This could lead to accounts being compromised by stealing session cookies or directly +affect the operation of the target application. + +Altough templating engines(razor, twig, jinja, etc) and context-aware applications(Angular, React, etc) +do a lot of auto escaping for you. These frameworks should always be validated for effectiveness. + ## Solution: @@ -23,9 +28,10 @@ your html with encoding libraries specially designed for this purpose. You should take into consideration that there are several contexts for encoding user-input for escaping XSS injections. These contexts are amongst others: -HTML encoding is for whenever your user-input is displayed directly into your HTML. -HTML attribute encoding is the type of encoding/escaping that should be applied whenever your user input is displayed into the attribute of your HTML tags. -HTML URL encoding ;This type of encoding/escaping should be applied to whenever you are using user-input into a HREF tag. +* HTML encoding, is for whenever your user-input is displayed directly into your HTML. +* HTML attribute encoding, is the type of encoding/escaping that should be applied + whenever your user input is displayed into the attribute of your HTML tags. +* HTML URL encoding, this type of encoding/escaping should be applied to whenever you are using user-input into a HREF tag. JavaScript encoding should be used whenever parameters are rendered via JavaScript; your application will detect normal injections in the first instant. But your application still remains vulnerable to JavaScript encoding which will not be detected by the normal encoding/escaping methods.