Consider an app you develop that uses something like the OWASP CSRFGuard library. What can be done to protect against XSS if the app calls a third party black box app that has no way to store and return the token when control is transferred back to your app? I may have no control over sending cookies by the black box app. The URL on the return could include a static parameter that is only known to the server, but that doesn't sound like a solid approach. Any better solutions?
Asked
Active
Viewed 104 times
0
-
3Do you mean protect against XSS, or do you mean protect against CSRF? – Anders Jun 09 '16 at 21:47
1 Answers
1
It sounds like you are worried about your web server code trusting a third party library that generates content within your HTTP response. This is a very valid concern.
If all that it generates is CSRF tokens, i.e. some strings, it makes sense to add XSS protection (whitelisting chars, escaping special characters ...). This should eliminate most of the likely XSS vectors that your black-box library introduces.
On the other hand, if the library is generating JavaScript which is embedded in your response, you may want HTTPOnly cookies, to limit visibility of your DOM. In the latter case, you could also consider implementing a Content Security Policy. However, this is much harder to implement correctly. You may also want to study and log the client-side code generated by the library.
Jedi
- 3,906
- 2
- 24
- 42