Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Antisamy or Content Security Policy or both to prevent XSS attack

Recently I studied a lot related to XSS attacks. I was searching for prevention techniques of XSS attack.

I came across a library called Antisamy, suggested by OWASP. AntiSamy is an HTML, CSS and JavaScript filter for Java that sanitizes user input based on a policy file. AntiSamy is not an HTML, CSS and JavaScript validator. It is merely a way to make sure HTML, CSS and JavaScript input strictly follows rules defined by a policy file

Also I have read about a HTTP response header called Content Security Policy (CSP). It allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources.

So should I use only Antisamy or CSP or using both will be beneficial?

Thank you in advance.

like image 734
tiger Avatar asked Oct 02 '22 13:10

tiger


2 Answers

When it comes to security, the answer is always both/all/everything so long as you have the time.

They are both beneficial in their own right.

I'd argue CSP is more beneficial long term, but I'm highly biased.

EDIT based on completely valid comment

CSP is not supported by all user agents, whereas anti-sammy is user-agent agnostic.

like image 67
oreoshake Avatar answered Oct 05 '22 12:10

oreoshake


There have been exploits found to AntiSamy in the past and there will probably be in the future as XSS attacks get cleverer (check out this video on mXSS).

It would be advisable to use both. AntiSamy will be effective for browsers that do not support CSP. CSP will be effective for current and future supported browsers.

like image 22
SilverlightFox Avatar answered Oct 05 '22 12:10

SilverlightFox