Contents
Overview    3
What are Personas    4
Business Decision Maker    4
Architect    4
Developer    4
Tester/QA    4
Understanding XSS for the Business Decision Maker    5
Risk    5
Business Impact    5
Fixing the Code    6
Resources and Training for Business Decision Makers    6
Understanding XSS for the Architect    6
Identifying the Problem    6
Common XSS Attacks    7
Designing a Fix    7
Input Validation Rules    8
Output Encoding Rules    8
Future Design Considerations    8
Tools for Designing Software That Prevents XSS    9
Resources and Training for Architects/PMs    9
Understanding XSS for the Developer    9
Identifying XSS Exploits    9
Identifying Untrusted Input    10
Identifying Untrusted Output    10
Stealing Cookies and User Information    11
Writing Secure Code    11
Validating Untrusted Input    11
An Alternative Approach: Sanitize Untrusted Input    12
Validating Trusted Output    13
Protecting Cookies and User Information from XSS    13
Use ValidateRequest    14
Tools and Libraries    14
Resources and Training for Developers    14
Understanding XSS for the Tester/QA    15
Identifying Insecure Code    15
Map Out the Site and Its Functionality    16
Identify and List Out Every Point of User-Supplied Input    16
Start Testing and Pay Attention to the Output    16
Verifying Security Against XSS Attacks    16
Modifying Your Test Process for XSS    17
Tools You Can Use    17
Resources and Training for Testers    18
The Microsoft SDL and Preventing XSS    18
Long-Term Solutions    18
Conclusion    19
Acknowledgements    19


Share
Related Documents
  1. Putting Security Into Your Virtual World (716)
  2. Security Testing Reference : SQL Injection (2438)
  3. Security Testing White Papers : Retina (1392)
  4. [Free] WebGoat : Security Testing Tool (2454)
  5. 2010-10-27, SecureWorld Expo @ USA (1634)
  6. [Free] Exploit-Me : Web application security testing tools (3794)
  7. [Ebook] Linux 101 Hacks (3100)
  8. How to Secure CXF Web Services with SSL/TLS and WS-Security (2985)
  9. OWASP Testing Guide (2808)
  10. [Ebook] Hacker Attack (2980)
  11. [Ebook] Google Hacks : 2nd Edition (2778)
  12. Password Recovery for Security Testing (1593)
  13. [Video] Software Security Testing: Strengthening Your Defense Strategy (986)
  14. [Video] Take Control of your IT Security and Compliance without the Complexity of Traditional SIM Systems (1043)
  15. [Free] LAPSE : Web Application Security Scanner for Java (4227)
  16. Steps to do security testing (1897)
  17. [Security Testing] Hacker's Cross Site Scripting Attack (XSS vulnerabilities) (1763)
  18. New Advanced SQL Injection For Advanced Security Testing (1949)
  19. [Free] BFBTester : Brute Force Binary Tester (2051)
  20. Using JTest for Security Testing (2366)