DEV Community

loading...

Discussion on: How hackers steal your keys and secrets

omerxx profile image
Omer Hamerman Author

Hey,
Basically, this is a library that offers it's own functionality to escape special character and HTML edge cases to prevent different kinds of XSS. In regards to usage, they have pretty straightforward instructions.

Don't know whether this is the best tool for the job but I can't recommend anything else since I'm not aware of any.

It's good that you care, understand the risk, and try to prevent the damage from happening.
Good luck

Thread Thread
brendan8c profile image
Сова

Hi )
I connected everything to protection.
How can I validate the form?
I want to check whether my protection is working or not.
If I paste this into the alert (document.cookie) form it will be sent to my mail. I will not see any JavaScrip code displayed.
I need a method to test my XSS protection.
In other words, what I need to do is to make an XSS attack on my form so that I can see if my defense has worked or not.
I hope I have explained it clearly.
I am sorry my English is bad.

Thread Thread
omerxx profile image
Omer Hamerman Author

Hi,

Like I mentioned earlier, you probably want to learn the basics on your own and then validate your protection by "attacking" your own page. Here's a great video with explanations on different techniques. The guy has also a practice area where you can practice what you've learned: youtube.com/watch?v=EoaDgUgS6QA

When you protect something, be aware of what it is you are protecting from. "XSS" is a wide range of techniques that can abuse pages. If you protect from a certain technique - e.g. HTML tags, try exploiting your own form with something like <img src/onerror=alert(1)>.
Here's another cheatsheet by Portswigger where you can see an endless list of methods: portswigger.net/web-security/cross...