Skip to content

Commit

Permalink
Merge pull request #440 from bugcrowd/flash-based-xss
Browse files Browse the repository at this point in the history 
Updates to rec for Flash-Based XSS
  • Loading branch information
@RRudder
RRudder authored May 15, 2024
2 parents 2fa695b + 03888ac commit 1d2d25f
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion submissions/description/cross_site_scripting_xss/flash_based/recommendations.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,9 @@

There is no single technique to stop XSS from occurring. However, implementing the right combination of defensive measures within the application will prevent and limit the impact of XSS. Some best practices include the following:

- Update to a technology stack that is not Flash (such as HTML5, JavaScript, and CSS3). Flash is now a depreciated technology that is no longer supported by many browsers. There are multiple security risks and performance issues related to Flash.
- All user input fields should be sanitized based on what the field is likely to contain. For example, a date field (01/01/2001) should only contain a maximum of 10 characters consisting of numbers and forward slashes. Additionally, drop down or pick lists can be used for allowable inputs to ensure expected values are sent to the server.
- Use appropriate HTTP response headers to ensure the browser correctly interprets responses. These should be customized specific to the application and its environment. For example:
- Implement a Content Security Policy (CSP) to ensure the browser correctly interprets responses and restricts which sources can be used to execute scripts. This should be customized specific to the application and its environment. For example:

``` HTTP
X-Content-Type-Options: nosniff
Expand Down

0 comments on commit 1d2d25f

Please sign in to comment.