1) Filtering User Input: When a user inputs data into the website, the developers want it to be filtered as strictly as possible while still getting the same output as if there was no filter.
2) Response Headers: Within HTTP response headers, developers can prevent XSS that aren't supposed to have any HTML or JavaScript, they can easily use the Content-Type and X-Content-Type-Options headers to make sure that browsers are able to respond the way it's intended.
3) Encoding Data Output: Depending on what output is sent, it usually requires combinations of HTML, URL, JavaScript, and CSS encoding to make sure user-controllable data in HTTP responses is encoded.
4) XSS in Java Apps: Devs can filter inputs with a whitelisted amount of allowed characters, and use libraries like Google Guava to encode your output for HTML context menu attributes. You can also use JavaScript Unicode escapes for JavaScript context menu attributes.
5) XSS in PHP Apps: Devs can filter inputs with a whitelisted amount of characters and use type hints. They can also escape outputs in XSS with htmlentities, ENT_QUOTES for HTML context menu attributes, and JavaScript Unicode to escape JavaScript context menu attributes.
Feel free to add more to this thread. And happy XSS hunting.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Networking is a massive topic, but when starting into cyber security; you have to know the commonly used methods to uncover the potential areas of interest as an attacker you can leverage.
1. The OSI Model: can be seen as a universal language for computer networking. It’s based on the concept of splitting up a communication system into seven abstract layers, each one stacked upon the last.
Read more: bit.ly/3DkBEZs
2. Encapsulation: This is the process of adding additional information when data is traveling in the OSI or TCP/IP model. The additional information has been added on the sender’s side, starting from the Application layer to the Physical layer.
Read more: bit.ly/3wNOGMh
Let me know if I missed an awesome OSINT Tool. #OSINT#infosec
1. Maltego: Specializes in uncovering relationships among ppl, companies, domains, and publicly accessible information on the internet. It’s also known for taking the sometimes enormous amount of discovered info and plotting it all out in easy-2-read charts and graphs. #maltego
2. Mitaka: Available as a Chrome extension and Firefox add-on, #Mitaka lets you search over six dozen search engines for IP addresses, domains, URLs, hashes, ASNs, #Bitcoin wallet addresses, and various indicators of compromise (IOCs) from your web browser.