Avoid cross-site scripting DOM vulnerabilities ( CWE-79 )

CRITICAL

Rule Definition
The most dangerous web application vulnerabilty is known as cross-site scripting (XSS). It is caused by malicious script echoed back into HTML returned from a trusted site, and runs under trusted context. To avoid the creation of XSS flaws, the Open Web Application Security Project (OWASP) recommends both input validation and "strong output encoding" or sanitization : "Strong output encoding. Ensure that all user-supplied data is appropriately entity encoded (either HTML or XML depending on the output mechanism) before rendering, taking the approach to encode all characters other than a very limited subset. This is the approach of the Microsoft Anti-XSS library, and the forthcoming OWASP PHP Anti-XSS library. Also, set the character encodings for each page you output, which will reduce exposure to some variants." This metric ensures that the appropriate output encoding (sanitization) is coded, as close as possible to user input method call, making security checking easier for all team members

Remediation
Code the appropriate sanitization methods as close as possible to the user input method call.

Violation Code Sample

Sample 1 <% String eid = request.getParameter("eid"); %> ... Employee ID: <%= eid %> Sample 2 <% protected System.Web.UI.WebControls.TextBox Login; protected System.Web.UI.WebControls.Label EmployeeID; ... EmployeeID.Text = Login.Text; %> <p><asp:label id="EmployeeID" runat="server" /></p>

Fixed Code Sample

Sample 1 <% String eid = request.getParameter("eid"); %> ... //include validation code Employee ID: <%= eid %> Sample 2: <% protected System.Web.UI.WebControls.TextBox Login; protected System.Web.UI.WebControls.Label EmployeeID; ... EmployeeID.Text = Login.Text; %> //Include validation methods <p><asp:label id="EmployeeID" runat="server" /></p>

Reference

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') http://cwe.mitre.org/data/definitions/79.html Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Top_10_2007 CISQ rule: ASCSM-CWE-79.

Related Technologies
.Net JEE

Health Factor

Security

Technical Criterion
Secure Coding - Input Validation

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

99.85%

Total Violations

525

Total Opportunities

351,264

Average Violations / App.

2.64

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Select from drop-down

99.77%

Software ISV

99.89%

Financial Services

99.83%

Want more stats? Register now!