Contents
Overview    3
What are Personas    4
Business Decision Maker    4
Architect    4
Developer    4
Tester/QA    4
Understanding XSS for the Business Decision Maker    5
Risk    5
Business Impact    5
Fixing the Code    6
Resources and Training for Business Decision Makers    6
Understanding XSS for the Architect    6
Identifying the Problem    6
Common XSS Attacks    7
Designing a Fix    7
Input Validation Rules    8
Output Encoding Rules    8
Future Design Considerations    8
Tools for Designing Software That Prevents XSS    9
Resources and Training for Architects/PMs    9
Understanding XSS for the Developer    9
Identifying XSS Exploits    9
Identifying Untrusted Input    10
Identifying Untrusted Output    10
Stealing Cookies and User Information    11
Writing Secure Code    11
Validating Untrusted Input    11
An Alternative Approach: Sanitize Untrusted Input    12
Validating Trusted Output    13
Protecting Cookies and User Information from XSS    13
Use ValidateRequest    14
Tools and Libraries    14
Resources and Training for Developers    14
Understanding XSS for the Tester/QA    15
Identifying Insecure Code    15
Map Out the Site and Its Functionality    16
Identify and List Out Every Point of User-Supplied Input    16
Start Testing and Pay Attention to the Output    16
Verifying Security Against XSS Attacks    16
Modifying Your Test Process for XSS    17
Tools You Can Use    17
Resources and Training for Testers    18
The Microsoft SDL and Preventing XSS    18
Long-Term Solutions    18
Conclusion    19
Acknowledgements    19


Share
Related Documents
  1. Putting Security Into Your Virtual World (726)
  2. Security Testing Reference : SQL Injection (2450)
  3. [Free] WebGoat : Security Testing Tool (2474)
  4. Security Testing White Papers : Retina (1417)
  5. Using JTest for Security Testing (2401)
  6. [Free] LAPSE : Web Application Security Scanner for Java (4321)
  7. New Advanced SQL Injection For Advanced Security Testing (1963)
  8. CSO Magazine : Software Risk and Security (905)
  9. [Ebook] Linux 101 Hacks (3125)
  10. Steps to do security testing (1909)
  11. [Video] Take Control of your IT Security and Compliance without the Complexity of Traditional SIM Systems (1054)
  12. [Security Testing] Hacker's Cross Site Scripting Attack (XSS vulnerabilities) (1778)
  13. 2010-10-27, SecureWorld Expo @ USA (1648)
  14. [Video] Software Security Testing: Strengthening Your Defense Strategy (998)
  15. [Free] Security Software Testing Suite (SSTS) : Application-based security testing (1942)
  16. OWASP Top 10 - 2010 (Security Testing) (2001)
  17. [Free] Exploit-Me : Web application security testing tools (3905)
  18. [Ebook] Google Hacks : 2nd Edition (2796)
  19. [Free] BFBTester : Brute Force Binary Tester (2075)
  20. [Ebook] Hacker Attack (2994)