CRITICAL
Rule Definition
This could lead to a potential Cross Site Scripting (XSS) vulnerability. Using a XSS vulnerability, an attacker could inject malicious JavaScript and execute any action JavaScript could do. Examples include:
- Stealing authentication material (e.g. cookies, JWT tokens)
- Exfiltrate sensitive information by reading the DOM
- Keylog entries on the website (e.g. fake login form)
Whether this is exploitable or not depends on a few conditions:
- Is an executable mimetype set? (e.g. text/html)
- Is the content served inline or as attachment? (Content-Disposition)
- Is the output properly sanitized? (e.g. stripping all HTML tags or having an allowlist of allowed characters)
Remediation
Sanitize user-input by using functions such as htmlentities with the ENT_QUOTES flag or use an allowlist.
Set all cookies to HTTPOnly.
Consider using Content Security Policy (CSP), to limit the risk of XSS vulnerabilities.
Violation Code Sample
<?php
$name = $_GET["name"];
printName($name);
function printName(string $name) {
echo $name; // VIOLATION
}
Fixed Code Sample
<?php
$name = $_GET["name"];
$escaped_name = htmlentities($name, ENT_QUOTES); // ESCAPE STRING
printName($escaped_name);
function printName(string $name) {
echo $name; // FIXED
}
Reference
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
https://cwe.mitre.org/data/definitions/79.html
OWASP Wiki for Cross Site Scripting (XSS)
https://owasp.org/www-community/attacks/xss/
Content-Security-Policy - Web Fundamentals
https://web.dev/csp/
Related Technologies
Technical Criterion
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.