CheatSheetSeries | The OWASP Cheat Sheet Series was created to provide a concise collection of high value information o | Cybersecurity library
kandi X-RAY | CheatSheetSeries Summary
kandi X-RAY | CheatSheetSeries Summary
Welcome to the official repository for the Open Web Application Security Project (OWASP) Cheat Sheet Series project. The project focuses on providing good security practices for builders in order to secure their applications. In order to read the cheat sheets and reference them, use the project official website. The project details can be viewed on the OWASP main website without the cheat sheets. :triangular_flag_on_post: Markdown files are the working sources and aren't intended to be referenced in any external documentation, books or websites.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of CheatSheetSeries
CheatSheetSeries Key Features
CheatSheetSeries Examples and Code Snippets
Community Discussions
Trending Discussions on CheatSheetSeries
QUESTION
Currently am using JDK 1.8. Need to know what is jaxp version available. To avoid sonar violation , trying set below properties , resulting in "org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized." SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); referring below https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory also checked many blogs stating jaxp version 1.5 above should support is the information found . Any suggesting will help me to debug more .
...ANSWER
Answered 2022-Apr-03 at 23:07There is no such thing as a "javax version". You have misread the page you linked to. What it actually says is:
Note: Use of the following
XMLConstantsrequires JAXP 1.5, which was added to Java in 7u40 and Java 8:
JAXP != javax
JAXP 1.5 actually refers to a specification. And as stated in the text I just quoted, Java 8 supports the relevant features of the JAXP 1.5 specification.
So if you want to use the constants listed in the OWASP cheatsheet, you need to build your code for Java 7u40 or Java 8 or later, and run it on a JVM that provides a JAXP 1.5 or later implementation.
(In fact Java 8 supports JAXP 1.6 ... according to https://docs.oracle.com/javase/8/docs/technotes/guides/xml/jaxp/index.html)
If you are getting runtime errors saying that the those properties are not supported, that implies that you have configured your application to use an XML implementation (provider) that doesn't support JAXP 1.5. But you haven't said anything about that ...
It is possible that these Q&As are relevant:
QUESTION
I've started playing with XSS to better improve my security posture at work. I've been able to successfully exploit a reflected XSS attack using a redirected POST form, but I can't seem to remove the extraneous characters displayed on the page.
I've checked:
How to load javascript on another webpage through XSS?
But none of the suggestions seem to work for me.
My exploit is a basic form, exploiting a PHP server side script I've configured echoing $_POST['username'] into the value attribute:
ANSWER
Answered 2022-Apr-03 at 22:27I eventually figured it out after hours of trial and error. The idea is to close the dangling tag with a separate tag:
So the previous payload was:
QUESTION
What is the meaning of context in the passage below?
The first rule is to deny all - don't put untrusted data into your HTML document unless it is within one of the slots defined in Rule #1 through Rule #5. The reason for Rule #0 is that there are so many strange contexts within HTML that the list of encoding rules gets very complicated. We can't think of any good reason to put untrusted data in these contexts. This includes "nested contexts" like a URL inside a JavaScript -- the encoding rules for those locations are tricky and dangerous.
If you insist on putting untrusted data into nested contexts, please do a lot of cross-browser testing and let us know what you find out.
This passage is taken from Cross Site Scripting Prevention - OWASP Cheat Sheet Series.At there,you can find rule #0 through rule #5.
...ANSWER
Answered 2021-Dec-31 at 06:46"Contexts" here refers to basically places where text can go in an HTML document. The OWASP XSS Prevention guide you're referencing aims to educate developers on how to safely place untrusted data in HTML.
Because HTML can do a lot of different stuff, it's important to understand exactly where your untrusted data is going so you can understand the risks and specific mitigation strategies.
The link you provided identifies several contexts:
QUESTION
Reading this XSS cheat sheet, I noticed a special usage I have never seen:
...ANSWER
Answered 2021-Dec-23 at 04:47It's just an attribute on the element. It doesn't have any meaning by itself, so it may be present simply as a red herring.
Prettified, the code is:
QUESTION
From the OWASP's website https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html:
Send a Content-Security-Policy HTTP response header from your web server.
Content-Security-Policy: ...
Using a header is the preferred way and supports the full CSP feature set. Send it in all HTTP responses, not just the index page.
I don't understand how that could be true as it is possible to set the Content-Security-Policy by using a meta tag in the HTML. I also don't see how the policy can apply to anything else but HTML pages.
Does anyone have idea why that statement above was made and if it is safe to only send HTTP header Content-Security-Policy for text/html responses?
By the way, the policy is too big and I would like to sent as fewer bytes as possible.
...ANSWER
Answered 2021-Oct-28 at 12:46This is still something that’s not formally specified and there ai still some debate on this: https://github.com/w3c/webappsec/issues/520
In general there’s two arguments here:
On the one hand some other file types (XML, PDF, perhaps even SVGs) could benefit from CSP and any resource could become the page by right clicking and opening in a separate tab.
On the other hand CSPs can get quite big and are usually written for HTML pages. So a bit wasteful to send on other resources and most of it won’t be relevant.
The right answer (as suggested by above) is probably to have a reduced, and very strict, CSP for all non-HTML responses.
But I think for most people having it on the HTML only will be good enough and bring most of the benefits of CSP. Then again CSP is an advanced technique so if going as far as that, then why not do it properly?
QUESTION
Problem
I'm using Apache FOP to produce a PDF from an XML and XSL file. The XML file is downloaded from an external site, not generated by me, so any manipulation of it would need to be scripted. It contains tags that contain anchor HTML tags inside of them intended to be named hyperlinks, but the xsl:value-of tag seems to somehow strip any functionality of anchor tags inside of the string itself and leaves the PDF report to have the display text of the anchor, but not the hyperlink, leading to "click here" labels that aren't actually clickable with no way to tell what the URL was supposed to be because the href tag is completely gone.
XML (snippet)
...ANSWER
Answered 2021-Oct-14 at 08:18The xsl:value-of instruction does exactly what you are describing: it extracts the string value of an element, dropping all internal markup.
To retain the existing markup unchanged, use the xsl:copy-of instruction.
To process the internal markup, turning it into something else, use the xsl:apply-templates instruction, with appropriate template rules to handle the descendant elements encountered.
Finally, please don't use w3schools as your primary learning resource. It's handy as a quick reference when you understand the concepts of the language and need a reminder of the details. It's not a good way of learning the concepts initially. It's also not a good place to go once you're beyond the basics and need a detailed explanation of edge cases (it tends to simplify).
Note: you say "I can't find anything that explicitly says that xsl:value-of invalidates anchor tags inside of the string it returns". w3schools says "The xsl:value-of element extracts the value of a selected node." But (typically) it doesn't say what it means to "extract the value". If you go to the XSLT 1.0 specification, however (https://www.w3.org/TR/xslt-10/#value-of) it's very clear: "The xsl:value-of element is instantiated to create a text node in the result tree. The required select attribute is an expression; this expression is evaluated and the resulting object is converted to a string as if by a call to the string function. The string specifies the string-value of the created text node." The fact that xsl:value-of creates a text node means (if you've understood the concept of the tree model) that it can't possibly retain any descendant node structure.
QUESTION
OWASP recommends to use Content-Security-Policy: frame-ancestors 'none' in API responses in order to avoid drag-and-drop style clickjacking attacks.
However, the CSP spec seems to indicate that after the HTML page is loaded any other CSP rules in the same context would be discarded without effect. Which makes sense in my mental model of how CSP works but if OWASP recommends it then I'm sure missing something.
Can anyone explain how can a CSP header in a XHR request improve security, after the fact that the HTML page is already loaded and the "main" CSP already evaluated? How that works in the browser?
...ANSWER
Answered 2021-Aug-23 at 19:40The frame-ancestors 'none' directive will indicate to the browser on page load that it should not be rendered in a frame (including frame, iframe, embed, object, and applet tags). In other words the policy does not allow it to be framed by any other pages.
The CSP header for the API or page is read at load. It is not something that happens after the fact. The "main" CSP isn't pertinent because it's the URI in the frame that's sending the CSP for itself over. The browser simply honors the frame-ancestor 'none' request by that URI
The frame-ancestors directive restricts the URLs which can embed the resource using frame, iframe, object, or embed. Resources can use this directive to avoid many UI Redressing [UISECURITY] attacks, by avoiding the risk of being embedded into potentially hostile contexts.
References
CSP frame-ancestors
Clickjacking Defense Cheat Sheet
Content Security Policy
Web Sec Directive Frame Ancestors
QUESTION
For my studys i have to develope a web site that verify from a given url if this is vulnerable to DOM Based XSS and then print a report of what it found, i already read a lot of article and specifically this ones Description of xss Documentation on prevention Doc on prevention of DOM based
but i'm stucked in a point, which is :
...How can i inspect/analyze the dom of a page from a given url, from my web site (html/js/jquery)
ANSWER
Answered 2021-Jun-12 at 08:55The Same Origin Policy prevents this.
You'll need to find a different approach.
QUESTION
Scenario: As an Administrator I need to invalidate a user's session (log them out) after I update the user's password. This is in accordance with best practices as per https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#Renew_the_Session_ID_After_Any_Privilege_Level_Change
I am using Devise and I saw here https://stackoverflow.com/a/45756884/664675 there is a config to log the user out: config.sign_in_after_reset_password = false
However, I have enabled this config in my devise.rb but the user remains logged in. Not sure why that is?
I am also using Redis as the session_store
ANSWER
Answered 2021-Jun-02 at 07:12the flag sign_in_after_reset_password does not relate to logout user at all, sign_in_after_reset_password = false imply that in case a user update his account password by himself then do not automatically sign-in his account again, and that logic happen only on PasswordsController#update.
So you as admin try to change password of another user in a custom controller, of course it's not logout user no matter the value of sign_in_after_reset_password is.
devise use gem warden to logout user (in other word: destroy user session) and warden base on request session not base on database, that mean there's no way an admin can get another user's session to reset, so you can not force logout another user by only devise, you need to handle this feature outside devise (such as add session to user table or a devise hook something like timeoutable)
QUESTION
I'm building an iframe, not with innerHTML, but with createElement.. I have two untrusted strings that are used:
ANSWER
Answered 2020-Nov-22 at 21:52When working with the DOM, there are no html encoding issues in any element properties. The characters <, >, &, ", and ' do not need escaping.
However, you still need to deal with the semantics of the respective attribute. While title is just a plain string that's not used for anything but displaying tooltips, others are not safe:
on…event handlers contain javascript code. It's a bad practice to assign strings to them anyway, but if you do, interpolating values must follow javascript escaping rules.
⇨ Rule #3styleproperties contain CSS rules which need their own escaping.
⇨ Rule #4srcorhrefattributes are urls that the browser will load at some point. Those definitely are sensitive, and when interpolating values into urls you need to follow URL encoding rules.
⇨ Rule #5- … (not meant to be exhaustive)
In your particular case, if you fail to url-encode the untrustedStr2, the attacker may send arbitrary query parameters or fragments to example.com. This is not a security issue in itself if example.com isn't susceptible to reflected XSS (the attacker may send the same link to the user via other channels), but it is broken functionality (undesired behaviour), but still it's your page endorsing the linked content.
So if untrustedStr2 is meant as a value of the id URI query parameter, you should definitely use
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install CheatSheetSeries
The OWASP Cheat Sheet Series website can be built and tested locally by issuing the following commands:.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
