Penetration testing blog

Cross site scripting issues are everywhere - I’ll try to provide as many resources as possible for programmers in different programming languages and show them how to take the basic steps in the way of protection.

Remember the basics: Always perform encoding at the time of displaying dynamic data to browsers. If you browse around the blog you should find more information on XSS and how to educate yourself as a programmer or individual (well programmers are individuals too, yeah.)

If your programming language is Java, then you should take a look at the StringEscapeUtils java class which belongs to the Apache commons namespace. It provides a nice set of encoding methods/functions that you need to have handy at the time of programming web based interfaces.

The Url for such class can be found here:

http://jakarta.apache.org/commons/lang/api/org/apache/commons/lang/StringEscapeUtils.html

In addition to providing encoding methods, the StringEscapeUtils class also provides decoding functionality - both encoding and decoding available in their Html, Javascript, Java, Xml and SQL versions (this last one not meant for XSS, but worth mentioning.)

Here’s a table of the different methods and references:

I will also cover in future posts any other encoding libraries available out there. For the moment, a nice alternative could be Michael Eddington’s encoding library named ‘Reform’ and which has recently (?) been adopted by the OWASP Encoding project. The library and the project can be found at:

http://www.owasp.org/index.php/Category:OWASP_Encoding_Project

Hope that’s enough information for now.