The Startup
Published in

The Startup

OWASP Juice Shop — XSS Tier 0 and XSS Tier 1 Challenge Solutions

Solving OWASP Juice Shop challenge with XSS attacks

What is Cross-site scripting (XSS)?

  1. Stored XSS
  2. Reflected XSS
  3. DOM Based XSS

The solution to XSS Tier 1 problem

<h1>hello world</h1>
<iframe src="javascript:alert(`xss`)">
XSS Tier 1 solution

The solution to XSS Tier 0 problem

<iframe src="javascript:alert(`xss`)">
  1. Always validate the input fields. Never accept code snippets from untrusted sources, use HTML escape and Javascript escape
  2. Encode HTML attributes, Javascript data, URL parameters and CSS before inserting data into HTML elements.
  3. Do not use Javascript URLs.
  4. Use Javascript escape before inserting data into CSS attributes, use URL escape, and Javascript escape before inserting data into URL attributes.
  5. Populate DOM using safe Javascript functions or properties.

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store