Executable XSS cheat sheets for popular web frameworks

by Pablo Estrada on January 21, 2021

We’re big fans of the OWASP Cheat Sheet Series, one of the flagship OWASP projects. The series includes detailed information on all kinds of security issues and is an outstanding reference and educational tool.

We developed these cheat sheets to check for code patterns of potential XSS (cross site scripting) in an application. Instead of scrutinizing code for exploitable vulnerabilities, the recommendations in these cheat sheets pave a safe road for developers that mitigates the possibility of XSS in your code. By following these recommendations, you can be reasonably sure your code is free of XSS. Each cheat sheet includes a single executable command to scan your code for XSS issues.

Our first four cheat sheets scan these popular web app frameworks:

Django (pdf version)
Flask (pdf version)
Java/JSP (pdf version)
Ruby on Rails (pdf version)

More background on XSS is available in the OWASP XSS Prevention Cheat Sheet.

If you’re interested in contributing your own Semgrep rules back to the community (for XSS or other issues), check out the semgrep-rules repository. And stay tuned for more cheat sheets like these!