CODEWITHSUNDEEP
javaxssowaspsecurity-testing
user1095983
user1095983

Reputation: 7

XSS attack : Alternative to OWASP?

Is there any alternative way to prevent XSS attack than OWASP XSS filter software? I need suggestion if it is possible to prevent at apache level. I am not security expert so need detailed information. Thanks for your help

Upvotes: 0

Views: 3305

Answers (2)

Yakov Zaytsev
Yakov Zaytsev

Reputation: 1

Another approach is to perform dynamic application scanning testing (DAST) exporting filters found that are then imported into a web application firewall.

Web application firewall can be deployed as part of your Apache server. ModSecurity is an example of such firewall

Upvotes: 0

mesutozer
mesutozer

Reputation: 2859

XSS issues occur in presentation layer when the data is displayed to the end user. So preventing this at apache level is not a valid approach.

OWASP ESAPI is a library (not a filter software) that provides XSS protection as an API to encode data in presentation layer. Whenever something that is affected from user input is to be displayed, proper encoding should be applied. For example, OWASP XSS prevention Cheat Sheet have the following example for Javascript context:

String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );

and this one for "HTML attribute" context:

String safe = ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) );

Proper encoding varies depending on current context (html, html attribute, javascript etc..)

If you prefer not to use OWASP library, you can do encoding by using other libraries like apache.commons.StringEscapeUtils. But you need to be very careful in choosing the correct method for your context.

Upvotes: 2

Related Questions