According to OWASP, which three statements are rules to prevent XSS attacks? (Choose three.)
- Use the HTML tag with JavaScript encoding.
- Use HTTPS only mode for accessing web applications.
- Use HTML escape before inserting untrusted data into HTML element content.
- Use the HTML img tag with a combination of hexadecimal HTML character references.
- Use attribute escape before inserting untrusted data into HTML common attributes.
- Use JavaScript escape before inserting untrusted data into JavaScript data values.
Explanation: According to OWASP, the general rules for preventing XSS attacks include:
- Use an auto-escaping template system.
- Never insert untrusted data except in allowed locations.
- Use HTML escape before inserting untrusted data into HTML element content.
- Use attribute escape before inserting untrusted data into HTML common attributes.
- Use JavaScript escape before inserting untrusted data into JavaScript data values.
- Use CSS escape and strictly validate before inserting untrusted data into HTML-style property values.
- Use URL escape before inserting untrusted data into HTML URL parameter values.
- Sanitize HTML markup with a library such as ESAPI to protect the underlying application.
- Use the HTTPOnly cookie flag.
- Implement content security policy.
- Use the X-XSS-Protection response header.
Exam with this question: 6.13.3 Quiz - Performing Post-Exploitation Techniques Answers
Please login or Register to submit your answer