Cross-Site Scripting (XSS)

Cross-site scripting is the injection of client-side scripts into web applications, which is enabled by a lack of validating and correctly encoding user input. Learn here, how you can efficiently fix XSS vulnerabilities.

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NSecurity Assessment

Security_Assessment_XSS-1

CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Vulnerability Information

Cross-site scripting is the injection of client-side scripts into web applications, which is enabled by a lack of validating and correctly encoding user input. The malicious scripts are executed within the browser of the end users and enable a variety of attacks from stealing the end users session to monitoring and altering all actions performed by the end users on the affected website. There are different types of cross-site scripting attacks, which distinguish if the malicious scripts could be injected in a non-persistent or persistent fashion. Furthermore there is differentiation made between the vulnerability being caused by a flawed input validation on the client- or server-side.

Types

There are different types of cross-site scripting attacks, which are introduced in the following sections.

Stored Cross-Site Scripting (Persistent)

A stored cross-site scripting vulnerability allows an attacker to inject a malicious script persistently in a web application. For example the script might have been submitted via an input field to the web server, which did not perform a sufficient validation and stores the script persistently in the database. The consequence of this might be, that this script is now being delivered to all users visiting the web application and e.g. able to gain access to the session cookies of the user.

Reflected Cross-Site Scripting (Non-Persistent)

A reflected cross-site scripting vulnerability appears if unvalidated input is directly displayed to the user. For example the input of a search form is reflected on the page to show what the search key was. An attacker may craft an URL that contains malicious code and spread the URL via e-mail or social media. A user who clicks on this link opens the (valid) web application, which then runs the malicious code in the user's browser.

DOM-Based Cross-Site Scripting

A DOM-based cross-site scripting attack may be successfully executed even when the server does not embed any malicious code into the webpage, by using a flaw in the JavaScript executed in the web browser. If the client site JavaScript modifies the DOM tree of the webpage based on an input field or GET parameter without validating the input, malicious code can be executed.

Guides

To prevent XSS attacks treat all user input as potentially malicious and follow some programming guidelines:

Avoid Untrusted Input

XSS attacks only appear if any user input is displayed on the webpage. Therefore try to avoid displaying any (untrusted) user input, if possible. If you need to display user data, restrict the places wheres the user input might appear. Any input that is displayed inside a JavaScript tag or an URL which is shown on the site are much more likely to be exploited than input which just appears inside a div or span element inside the HTML body.

Filter User Input

In cases where any untrusted input is shown as normal text inside a HTML tag, filter out the characters which allow an attacker to insert a <script> tag in the page. Use the following functions for that:

htmlspecialchars($input)                                    # PHP
html.escape(input, quote=True) # Python
org.apache.commons.lang.StringEscapeUtils.escapeHtml(input) # Java

In JavaScript you need to define an extra function for this task. You may use:

function escapeHtml(text) {
var map = {
'&': '&amp;',
'<': '&lt;',
'>': '&gt;',
'"': '&quot;',
"'": '&#039;'
};

return text.replace(/[&<>"']/g, function(m) { return map[m]; });
}

In cases where user input needs to be inserted into tag attributes or inside a script, you will need to use stronger escape mechanisms. Refer to the XSS Prevention Cheat Sheet for more information. This is the case if you plan to allow user input in cases such as:

<a href="http://example.org/search/q?...USER INPUT..."></div>
<script>alert('...USER INPUT...')</script>
<style> { property: ...USER INPUT...; } </style>

For more information about Crashtest Security visit crashtest-security.com or go to our XSS Page!