What is black listing approach –
Define untrusted scripting character and encode(or remove) them from actual request
Challenges
- Many HTML features that allow scripting (e.x some part of page is generated by backend)
- Application may have custom extension to HTML
- Define servlet filter (XSSFilter) – Filter will return sanitized Http Request Wrapper
- Define Sanitized HTTP request Wrapper – Override every method and return the clean value by applying the sanitization
- Define Sanitized rule – rules are nothing but configurable untrusted character per page per parameter
- Define Sanitization (This will clean unsafe character)
No comments:
Post a Comment