Tag Archives: XSS

Video PHP Security: XSS (Cross-site Scripting)


Brush up on your PHP security knowledge! Demonstrations and advice on the most common areas of PHP security.

Sleepy Puppy XSS Payload Management Framework


via Netflix/sleepy-puppy · GitHub.

What is Sleepy Puppy?

Sleepy Puppy is a cross-site scripting (XSS) payload management framework which simplifies the ability to capture, manage, and track XSS propagation over long periods of time.

Secure Node Apps Against OWASP Top 10 – Cross Site Request Forgery


via Secure Node Apps Against OWASP Top 10 – Cross Site Request Forgery – Scott Smith.

Welcome to part 4 of the OWASP security series

  1. Injection
  2. Broken Authentication & Session Management
  3. Cross Site Scripting (XSS)
  4. Cross Site Request Forgery (CSRF)
  5. Using Components with Known Vulnerabilities (Coming soon)

In this multipart series, we will explore some of the the OWASP top web application security flaws including how they work and best practices to protect your application from them. The focus will be on Express web applications in Node, but the principles shown can be applied to any framework or environment.

This part will cover cross site request forgery (CSRF).

Secure Node Apps Against OWASP Top 10 – Authentication & Sessions


via Secure Node Apps Against OWASP Top 10 – Authentication & Sessions – Scott Smith.

Welcome to part 2 of the OWASP security series

  1. Injection
  2. Broken Authentication & Session Management
  3. Cross Site Scripting (XSS)
  4. Cross Site Request Forgery (CSRF) (Coming soon)
  5. Using Components with Known Vulnerabilities (Coming soon)

In this multipart series, we will explore some of the the OWASP top web application security flaws including how they work and best practices to protect your application from them. The focus will be on Express web applications in Node, but the principles shown can be applied to any framework or environment.

This part will cover broken authentication and session management.

Secure Node Apps Against OWASP Top 10 – Cross Site Scripting


via Secure Node Apps Against OWASP Top 10 – Cross Site Scripting – Scott Smith.

Welcome to part 3 of the OWASP security series

  1. Injection
  2. Broken Authentication & Session Management
  3. Cross Site Scripting (XSS)
  4. Cross Site Request Forgery (CSRF) (Coming soon)
  5. Using Components with Known Vulnerabilities (Coming soon)

In this multipart series, we will explore some of the the OWASP top web application security flaws including how they work and best practices to protect your application from them. The focus will be on Express web applications in Node, but the principles shown can be applied to any framework or environment.

This part will cover cross site scripting (XSS).

Where to Store Your JWTs – Cookies vs HTML5 Web Storage


via Where to Store your JWTs – Cookies vs HTML5 Web Storage – Stormpath User Management API.

Stormpath has recently worked on token authentication features using JSON Web Tokens (JWT), and we have had many conversations about the security of these tokens and where to store them.

If you are curious about your options, this post is for you. We will cover the basics of JSON Web Tokens (JWT), cookies, HTML5 web storage (localStorage/sessionStorage), and basic information about cross-site scripting (XSS) and cross site request forgery (CSRF).

Let’s get started…

Handlebars Context Pre-compiler


via yahoo/context-parser-handlebars · GitHub.

This pre-compiler is to automatically conduct HTML 5 context analysis on Handlebars templates, and insert markup of XSS filtering helpers to output expressions based on their surrounding contexts.

The resulted templates can then be further processed with the vanilla Handlebars template engine. With the context-sensitive helpers properly registered at runtime, the context-sensitive escaping will effectively defend against XSS attacks.