owasp

I'm trying to prevent open redirect attack. Please look at the code below and check for security: var = require('url'); // http://example.com/login?redirect=http://example.com/dashboard app.route('/login', function (req, res, next) { var redirect = req.query.redirect, paths = url.parse(redirect); if (paths.host !== req.headers.host) { return next(new Error('Open redirect attack detected')); } return res.redirect(redirect); }); Is it enough for preventing open redirect attack or should I add anything else? CWE-601: URL Redirection to Untrusted Site ('Open Redirect') Description of Open Redirect

I use Antisamy for validating HTML. My policy allow iframes, like youtube videos. Problem is - if tag is empty(like this): <iframe src="//www.youtube.com/embed/uswzriFIf_k?feature=player_detailpage" allowfullscreen></iframe> than after cleaning it will be like this: <iframe src="//www.youtube.com/embed/uswzriFIf_k?feature=player_detailpage" allowfullscreen/> But it should have normal closing tag. And this break all content on page after. I already set my directives to use most of HTML but not XML: <directives> <directive name="omitXmlDeclaration" value="true"/> <directive name=

I'm looking at possible solutions to protect my GWT app against XSRF. If I understand GWT's solution correctly - it makes available a Servlet which you use to both generate the token on the client-side (when calling your RPC endpoint) and to validate on the server-side (when the call hits your service). Does this solution only cater for RPC calls? Surely we need it to cover all user generated requests to the server? Any other recommended XSRF solutions (I'm also looking at OWASP's CSRFGuard )? I modified the GWT Sample App to be protected against XSRF. This solution is roughly based of the

We are using nginx for https traffic offloading, proxying to a locally installed jasperserver (5.2) running on port 8080. internet ---(https/443)---> nginx ---(http/8080)---> tomcat/jasperserver When accessing the jasperserver directly on its port everything is fine. When accessing the service through nginx some functionalities are broken (e.g. editing a user in the jasperserver UI) and the jasperserver log has entries like this: CSRFGuard: potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%) After some

I am trying to incorporate the CSRFGuard library in order to rectify some CSRF vulnerabilties in an application. However after configuring as specified here I am now getting the below messages in the log, when I navigate the application: WARNING: potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:169.xx.x.xxx, uri:/myapp/MyAction, error:request token does not match session token) Through including the: <script src="/sui/JavaScriptServlet"></script> On my main.jsp page the links have all been built incorporating the CSRFGuard token , e.g. ......./myapp/MyAction

I hope someone could help me with some issue. I'm using OWASP ESAPI 2.1.0 with JavaEE, to help me to validate some entries in a web application. At some point I needed to validate a Windows file path, so I added a new property entry in the 'validation.properties' like this one: Validator.PathFile=^([a-zA-Z]:)?(\\\\[\\w. -]+)+$ When I try to validate, for example, a string like "C:\TEMP\file.txt" via ESAPI, I get a ValidationException: ESAPI.validator().getValidInput("PathFile", "C:\\TEMP\\file.txt", "PathFile", 100, false); Alternatively, I also tried the java.util.regex.Pattern class to test

Cross-Site Scripting (XSS) What Is XSS? Cross-site scripting ( XSS ) is a type of web application vulnerability that enables the attackers to inject client-side script into web pages viewed by other users, and upon the injected scripted is executed, to bypass the same origin policy . (Note: The same-origin policy cannot stop you from sending a request.) XSS exploits web applications (e.g., blog, messageboard, etc.) with dynamic content that is produced from user inputs not validated or encoded. By injecting malicious code, XSS attacks turn the web applications from the data context into code

Refer to this question: Braintree Dropin UI does not work with Ionic Framework unless force refresh My current Ionic / Angular / Firebase + a very simple Node server app has security issue when using Braintree to charge user credit card. The problem, according to @RaymondBerg is because client can post any customerId and create a braintree token and charge that customer. Since all my user authorization happened in Firebase / Angular - client side. So when user do a $HTTP.post from my AngularJS/Ionic to my Node server, I don't want to authorize them again (as I don't even know how to do that so

The good people of OWASP emphasize that you MUST use the escape syntax for the part of the HTML document you’re putting untrusted data into (body, attribute, JavaScript, CSS, or URL). See OWASP - XSS . Their API (developed by the ESAPI team) subsequently caters for this having encoders for each context: ESAPI.encoder().encodeForHTML("input"); ESAPI.encoder().encodeForHTMLAttribute("input"); ESAPI.encoder().encodeForJavaScript("input"); ESAPI.encoder().encodeForCSS("input"); ESAPI.encoder().encodeForURL("input"); Subsequently this allows the developer to cater for DOM-based XSS . So my question