Cordova Cross-Site Scripting (XSS)

Cordova Cross-Site Scripting (XSS)

Risk: medium

Description

Mobile Cross-Site Scripting (XSS) attacks are an injection type in which malicious scripts are injected into otherwise benign and trusted content. XSS attacks occur when an attacker can inject malicious code through:

• Untrusted Inter-Process Communication (IPC) input
• Man-in-the-Middle attack
• Untrusted content stored on the webserver application
• Untrusted local file input

Example script to test presence of XSS

HTML

<script>alert("Ostorlab XSS!")</script>

<img src="http://ostorlab.co/js_xss2" onerror=alert(document.cookie)>

XSS vulnerabilities for Cordova applications are critical as they allow access to native functionality on the target phone and could lead to unauthorized access to contacts, messages, cameras, audio, and location.

Recommendation

The application must validate all the provided input and use secure HTML formatting API. The recommended approach is to define a list of acceptable characters and allow only those. For example, acceptable characters would be upper case letters, lower case letters, and numbers (i.e. a-z, A-Z, and 0-9).

Frameworks offer methods to validate input and prevent XSS vulnerabilities, and modern frameworks (Angular JS 2, React JS) automatically escape user input:

To escape inputs using Sencha Ext JS, the following methods could be used:

• Ext.util.Format.stripTags
• Ext.util.Format.stripScripts
• Ext.util.Format.htmlEncode/Decode

Links

• Why Cordova XSS is your worst enemy ?
• Cordova Security Guide
• OWASP Cross-Site Scripting (XSS)

Standards

• OWASP_MASVS_L1:
  • MSTG_PLATFORM_2
• OWASP_MASVS_L2:
  • MSTG_PLATFORM_2
• CWE_TOP_25:
  • CWE_79
  • CWE_20
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_11_3