

Ask HN: Testing your site for XSS exploits - mshafrir

What tools or techniques do you use to test for and secure your site from XSS exploits?
======
planck
Assume all data entered by users is malicious and encode it properly on
display. That's really all there is to it.

~~~
pwmanagerdied
Amen to that.

Everyone overcomplicated the issue, it's not a difficult issue to solve:
whenever untrusted data is to be displayed to a user, escape it. Problem
solved.

------
lhorie
Tools like Paros <http://www.parosproxy.org/index.shtml> will spider/scan for
some common attack patterns.

It's also definitely nice to have a dedicated qa person (preferably someone
familiar with the code) trying to break your site, both manually and with
tools like Selenium <http://seleniumhq.org/>

------
tonystubblebine
For people using Rails, sanitize all input before it goes in. Here's a library
for web params. <http://code.google.com/p/sanitizeparams/>

~~~
there
so when some new technique comes out down the road that your input filtering
didn't catch, are you going to update everything in your database? and what
about data that gets in from other sources?

i don't see the benefit in filtering input; html and alert()'s inside a
database don't affect anything until they come back out.

~~~
mbrubeck
Also, proper sanitization is different for HTML, JavaScript, SQL, URIs, and
other contexts.

~~~
tonystubblebine
The question is specifically about XSS, so the context is by definition HTML
and Javascript.

------
yan
I would pay someone like me to assess your code and pentest your site :)

If you're planning on doing this yourself, OWASP (www.owasp.org) is a great
resource.

