DefenseCode

Cross Site Scripting

Risk type:MEDIUM

Description:

Cross site scripting is an injection vulnerability where the attacker injects a malicious script to some trusted website. Usually it is a web browser script which gets executed by website's user.

Example:

The user is searching for text "phrase" using the vulnerable website that has search functionality which gets sent by "text" parameter:

http://www.victim.com/search.php?text=phrase

The attacker can use the following search query:

http://www.victim.com/search.php?text=<img src="http://www.attacker.com/pic.jpg"/>

Website user will get served attacker picture "pic.jpg" everytime he uses website’s search functionality.

Mitigation:

  • Never insert untrusted data, except in allowed locations.
  • Escape HTML before inserting untrusted data into element content.
  • Escape attribute before inserting untrusted data into HTML common attributes.
  • Escape JavaScript before inserting untrusted data into JavaScript data values.
  • Escape CSS and strictly validate before inserting untrusted data into HTML style property values.
  • Escape URL before inserting untrusted data into HTML URL parameter values.
  • Use HTML policy engine to validate or clean user-driven HTML in an outbound way.
  • Prevent DOM-based XSS.
  • Use HTTPOnly cookie flag.

Further reading:

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
http://www.cgisecurity.com/xss-faq.html
http://www.technicalinfo.net/papers/CSS.html