Welcome to the OWASP-SKF chat room, if you need help or have questions then you are at the right place! https://securityknowledgeframework.org You can also ask our Chatbot questions regarding to security vulnerabilities: @skfchatbot what is xss?
@lsec0ni 45 Code enforce secure password (10:22:42 AM)
@skfchatbot 52
@lsec0ni 2 Code xsl injection prevention in flask (10:23:15 AM)
@lsec0ni 4 Code xsl injection prevention in ruby (10:23:15 AM)
@lsec0ni 3 Code xsl injection prevention in django (10:23:15 AM)
@lsec0ni 1 Code xsl injection prevention in php (10:23:15 AM)
@lsec0ni Code for XSL Injection prevention
Example:
// In order to prevent XSL injections you must enforce strict policy's whenever the
// files are loaded from a source controlled by an possible attacker.
// Let's say for example that the user can choose from several XSL files on your application.
// ABC.xsl arranges your employee names on alphabetical order
// CBA.xsl does not care and just shows the input by order of your XML file.
// Before we want to attach the XSL files to the style sheet we first want to
// do validation on the request to make sure the included file was one of our own pre
// defined files, example:
// check_pattern(params[:xslfile], "file1.xsl,file2.xsl,etc")
require 'nokogiri'
// Include the classes of which you want to use objects from
require_relative 'classes'
class IncludeXSL
def including(param, white_list)
// check "Whitelisting" for method declaration
if check_pattern(param, white_list)
document = Nokogiri::XML(File.read('input.xml'))
template = Nokogiri::XSLT(File.read('template.xslt'))
transformed_document = template.transform(document)
end
end
endCode language is ruby (10:23:26 AM)
@lsec0ni 10 Solution client side input validation (4:00:40 AM)
@lsec0ni 5 Solution do not support untrusted client side technologies (4:00:40 AM)
@lsec0ni 13 Solution cross site request forgery (4:00:40 AM)
@lsec0ni 0 Solution client side storage (4:00:40 AM)
@lsec0ni 4 Solution user generated session ids should be rejected by the server (4:00:40 AM)
@lsec0ni 6 Solution session information is not stored server side (4:00:40 AM)
@lsec0ni 3 Solution http request methods (4:00:40 AM)
@lsec0ni 14 Solution servers must not be trusted without explicit authentication (4:00:40 AM)
@lsec0ni 1 Solution server side validation (4:00:40 AM)
@lsec0ni 16 Solution aggregate user requests (4:00:40 AM)
@lsec0ni 8 Solution logging implemented on the serverside (4:00:40 AM)
@lsec0ni 7 Solution client side state management (4:00:40 AM)
@lsec0ni 12 Solution file upload outside document root (4:00:40 AM)
@lsec0ni 15 Solution get post requests (4:00:40 AM)
@lsec0ni 11 Solution sensitive information stored alongside the source code (4:00:40 AM)
@lsec0ni 17 Solution client side constraints (4:00:40 AM)
@lsec0ni 9 Solution html caching and client side caching (4:00:40 AM)
@Hemant (hemantj99) 0 Code crossdomain.xml (9:04:28 PM)
@Hemant (hemantj99) 2 Code xml injection prevention (9:04:28 PM)
@Hemant (hemantj99) 7 Code xml external entities (9:04:28 PM)
@Hemant (hemantj99) 6 Code crossdomain.xml (9:04:28 PM)
@Hemant (hemantj99) 5 Code encoder (9:04:28 PM)
@Hemant (hemantj99) 1 Code encoder sql esapi (9:04:28 PM)
@Hemant (hemantj99) 3 Code xmlprevention (9:04:28 PM)
@Hemant (hemantj99) 4 Code xml injection prevention in ruby (9:04:39 PM)
@Hemant (hemantj99) 3 Code xml injection prevention in django (9:04:39 PM)
@Hemant (hemantj99) 2 Code xml injection prevention in flask (9:04:39 PM)
@Hemant (hemantj99) 1 Code xml injection prevention in php (9:04:39 PM)
@Hemant (hemantj99) Code for XML injection prevention
Example:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Text.RegularExpressions;
using System.IO;
using System.Xml;
namespace MvcApplication1.Controllers
{
public class storeXML
{
public void storeFunction(string name, string lastName, string gender)
{
/*
First we import our inputvalidation control class. for more detailed information about
input validation check the code examples for "Input validation" & "Single input validation".
*/
inputValidationControl validate = new inputValidationControl();
bool doFunction = true;
//If the function returns false, we do not execute the function
//see the "input validation" code example for more detailed information about this function
if (validate.validateInput(name, "alphanumeric", "Invalid userinput name", "HIGH") == false) { doFunction = false; }
if (validate.validateInput(lastName, "alphanumeric", "Invalid userinput name", "HIGH") == false) { doFunction = false; }
if (validate.validateInput(gender, "alphanumeric", "Invalid userinput name", "HIGH") == false) { doFunction = false; }
if (doFunction == true)
{
//Only after validation we proceed to the XMLwriter class where we insert the parameters
using (XmlWriter writer = XmlWriter.Create(@"C:\Users\Public\xml\register.xml"))
{
writer.WriteStartElement("person");
writer.WriteElementString("name", name);
writer.WriteElementString("lastname", lastName);
writer.WriteElementString("gender", gender);
writer.WriteEndElement();
writer.Flush();
}
}
}
}
}
/*
Now we prevented malicious userinput from coming into your XML file.
NOTE: Do not forget to also properly encode your input as a last line of defense,
also In this example the XmlReader disables external entities by default.
If you should choose another parser make sure your parser disables these entities
in order to prevent XXE injections.
*/Code language is asp (9:04:51 PM)
