Skip to Content
author's profile photo Former Member
Former Member

XSS Filter: How secure are we?

While in production we came to some recent XSS vulnerability in our application. Our application has all the security patches with the XSS filter. I have 2 questions here:

  1. OOTB, are we using any white-list sanitization?

  2. Why are we relying on Blacklist sanitization as is highly impractical to identify all possible XSS Payloads and this approach is not recommended.

Add a comment
10|10000 characters needed characters exceeded

Related questions

3 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Apr 28, 2015 at 02:18 PM

    Hi Bhanu, thanks for asking this question. There is a recommended way to protect against XSS. So you should do a three step approach:

    1. Validate the input.

    2. Sanitize/Filter input

    3. Encode Output

    This would be defense in depth. You should not rely on a filter because filter could be bypassed. And there are several examples where it happened in the wild. So please ensure that you also encode the output to avoid traps. There is also encoding functions delivered in hybris framework.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Apr 28, 2015 at 12:14 PM

    Hi,

    the mechanism is described here. As far as I know we rely on blacklisting and to obtain good level of security the filter must be tuned to match project-specific requirements.

    Cheers, Wojtek

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Sep 17, 2015 at 10:17 AM

    There are also some guidelines in the Wiki available:

    Output Encoding

    https://wiki.hybris.com/display/ytech/Output+Encoding

    Input Validation and Input Filtering

    https://wiki.hybris.com/display/ytech/Input+validation+and+input+filtering

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.