Export to GitHub

doctype-mirror - ArticlesXSS.wiki

|Español|日本語|Français| |:--------------------------|:----------------------|:---------------------------| |Home |Howto Articles|

== Web security ==

<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab" id="Player_79cd3a9b-0762-4b36-8a6c-03b795c51c84" WIDTH="336px" HEIGHT="280px">

<PARAM NAME="movie" VALUE="http://ws.amazon.com/widgets/q?ServiceVersion=20070822&MarketPlace=US&ID=V20070822%2FUS%2Fwidgetsamazon-20%2F8009%2F79cd3a9b-0762-4b36-8a6c-03b795c51c84&Operation=GetDisplayTemplate">

<PARAM NAME="quality" VALUE="high">

<PARAM NAME="bgcolor" VALUE="#FFFFFF">

<PARAM NAME="allowscriptaccess" VALUE="always">

<embed src="http://ws.amazon.com/widgets/q?ServiceVersion=20070822&MarketPlace=US&ID=V20070822%2FUS%2Fwidgetsamazon-20%2F8009%2F79cd3a9b-0762-4b36-8a6c-03b795c51c84&Operation=GetDisplayTemplate" id="Player_79cd3a9b-0762-4b36-8a6c-03b795c51c84" quality="high" bgcolor="#ffffff" name="Player_79cd3a9b-0762-4b36-8a6c-03b795c51c84" allowscriptaccess="always" type="application/x-shockwave-flash" align="middle" height="280px" width="336px">

</embed>

Unknown end tag for </OBJECT>

<NOSCRIPT>

<A HREF="http://ws.amazon.com/widgets/q?ServiceVersion=20070822&MarketPlace=US&ID=V20070822%2FUS%2Fwidgetsamazon-20%2F8009%2F79cd3a9b-0762-4b36-8a6c-03b795c51c84&Operation=NoScript">

Amazon.com Widgets

</A>

</NOSCRIPT>

  • Introduction to Cross-Site Scripting Vulnerabilities
  • Everything you ever wanted to know about cross-site scripting (XSS) attacks
  • HOWTO filter user input in tag attributes
  • HOWTO filter user input in regular body text
  • HOWTO filter user input in JavaScript event handlers
  • HOWTO filter user input in HTTP headers
  • HOWTO filter user input in JavaScript context
  • HOWTO filter user input in style elements and attributes
  • HOWTO filter user input in URL attributes
  • HOWTO protect against cross-domain data disclosure attacks
  • HOWTO protect against E4X injection attacks
  • Compartmentalizing applications within the same domain
  • UTF-7: the case of the missing charset
  • Malformed UTF-8: Who said "hello%EE" can't be dangerous
  • HOWTO protect against malicious images and other non-HTML content
  • HOWTO serve untrusted files as downloads
  • Introduction to Flash security
  • Flash cross-domain policy files
  • Flash cross-domain policy attacks
  • Flash getURL XSS attacks
  • Flash clickTAG XSS attacks
  • Flash TextField XSS attacks
  • Flash loadMovie XSS attacks
  • Flash asFunction XSS attacks
  • Flash URL parameter attacks
  • HOWTO secure your Flash applications