Category: OWASP 2010 A2
-
OWASP A2 – Cross-Site Scripting (XSS) with PHP Part 4
This is going to be a short post that expands upon input validation controls. These routines are in addition to those found in the OWASP ASVS and should be utilized where possible to help mitigate the risk of any type of injection attack (XSS, SQLi, LDAPi, XMLi, Command injection, etc). There are two other major…
-
OWASP A2 – Cross-Site Scripting (XSS) with PHP Part 3
Last week we finished up input validation, which represents one half of the solution towards preventing XSS. This week we will cover the other half; output encoding. Output encoding protects the application in the event that malicious script data somehow makes its way into the database or a form parameter. It is a fail safe…
-
OWASP A2 – Cross-Site Scripting (XSS) with PHP Part 2
Today we will finish up ASVS section 5. Next week we will begin ASVS 6.x (Output Encoding/Escaping Requirements). This should be a pretty short post. ASVS 5.6 Requirement: Verify that a single input validation control is used by the application for each type of data that is accepted. ASVS 5.6 Solution: Watch out for data…
-
OWASP A2 – Cross-Site Scripting (XSS) with PHP Part 1
We are finally starting a new OWASP Top 10 security risk today. The next few weeks (or possibly month) will cover XSS prevention techniques in PHP. This is probably a little more glamorous/sexy than authentication and session management. Controls to protect an application against XSS are primarily represented in the OWASP ASVS sections 5 and…
CodeWatch 