Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)

Risk: medium

Description

Cross-site-scripting (XSS) vulnerabilities occur when unsanitized user-controlled input is served to the user.

XSS vulnerabilities bypass same-Origin-Policy, which is a core principle of web security. SOP ensures that a page from http://evil.com can't access the content of a page from http://bank.com.

XSS is commonly separated into three families

• Reflected: the user-controlled input is directly reflected in the page response
• Stored: the user-controlled input is stored on the server side, for instance, in a database, and is later returned to user
• DOM-based: the user-controlled input is injected on the client-side to the DOM, triggering the injection of malicious JavaScript

XSS vulnerabilities allow an attacker to perform a variety of malicious actions, like exfiltration of personal data, including user session or account information; perform actions on behalf of the user.

Recommendation

In general, cases, preventing XSS vulnerabilities requires 2-step protection:

• Input validation: user-controlled input should be validated to forbid all unauthorized characters, phone number For instance, only numbers; names should only contain alphabetical characters, etc.
• Output encoding: all input shown to the user is encoded correctly using proven standard API. Use of a safe template engines with native support for output encoding and secure defaults are highly recommended.

Links

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
• CWE-116: Improper Encoding or Escaping of Output
• CWE-159: Failure to Sanitize Special Element