Skip to content

Security Cipher

  • Home
  • Blog
  • About Us
  • Resources
    • Security Terminologies
    • Vulnerability Explain
    • Secure Code Explain
    • Linux Commands
    • AWS Cloud Security Checklist
  • My Resume
Contact Us

Secure Code Explain

  • DOM Cross-Site-Scripting (XSS)
  • Stored Cross-Site-Scripting (XSS)
  • Reflected Cross-Site-Scripting (XSS)
  • SQL Injection
  • XXE Injection
  • Remote File Inclusion (RFI)
  • Local File Inclusion
  • Clickjacking
  • Remote Code Execution (RCE)
  • Insecure direct object references (IDOR)
  • Secure Cookie not set
  • Log Injection
  • Cross-Site Request Forgery (CSRF)
  • HttpOnly Flag not set

Vulnerability Explain

  • SQL Injection
  • Cross-Site-Scripting (XSS)
  • Home
  • Secure Code Explain
  • DOM Cross-Site-Scripting (XSS)

DOM Cross-Site-Scripting (XSS)

Table of Contents
  • 🥺 Vulnerable Code
  • 😎 Secure Code

Here is an example of vulnerable code that is susceptible to DOM-based cross-site scripting (XSS) attack:

🥺 Vulnerable Code #

String userInput = request.getParameter("input");
String output = "You entered: " + userInput;
document.getElementById("output").innerHTML = output;

This code takes the user’s input, which is obtained from an HTTP request, and assigns it to the inner HTML of an element on the page. If the user input is not properly sanitized, it could contain malicious code, such as JavaScript.

😎 Secure Code #

To secure this code against DOM-based XSS attacks, you can sanitize the user input by HTML-escaping it before assigning it to the inner HTML of the element. Here is an example of how you could do this:

import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;

PolicyFactory policy = new HtmlPolicyBuilder()

.allowElements("a")
.allowUrlProtocols("https")
.allowAttributes("href").onElements("a")
.toFactory();

String userInput = request.getParameter("input");
String output = policy.sanitize(userInput);
document.getElementById("output").innerHTML = "You entered: " + output;

This code uses the OWASP HTML Sanitizer library to sanitize the user input. It allows only “<a>” elements and “href” attributes, and only allows links that use the “https” protocol. This helps to prevent malicious code from being injected into the page.

Share This Article :
  • Facebook
  • Twitter
  • LinkedIn
  • Pinterest
Stored Cross-Site-Scripting (XSS)

Leave a Reply Cancel reply

Table of Contents
  • 🥺 Vulnerable Code
  • 😎 Secure Code
logo name

Learn penetration Testing …

Instagram Twitter Youtube Telegram Linkedin

Useful Links

Blogs
About
Contact

Recent Post

  • Threat Modeling : Everything You Need to Know for Web Application Security
  • How to Conduct a Successful Penetration Test: A Step-by-Step Guide
  • OSV-Scanner: Protecting Your Open-Source Dependencies

Subscribe Now

Don’t miss our future updates! Get Subscribed Today!

Subscription Form

By entering your email, you agree to our terms & Conditions and Privacy policy.

©2023. Security Cipher. All Rights Reserved.

Privacy Policies
Terms & Conditions