Avoid Reflected Cross-site Scripting (Non Persistent)

CRITICAL

Rule Definition
URLs constructed without validating and using the same data, this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser. The most dangerous web application vulnerabilty is known as cross-site scripting (XSS). It is caused by malicious script echoed back into HTML returned from a trusted site, and runs under trusted context.

Remediation
Use authorized sanitization methods. To avoid the creation of XSS flaws, the Open Web Application Security Project (OWASP) recommends both input validation and "strong output encoding" or sanitization: "Strong output encoding. Ensure that all user-supplied data is appropriately entity encoded (either HTML or XML depending on the output mechanism) before rendering, taking the approach to encode all characters other than a very limited subset. This is the approach of the Microsoft Anti-XSS library or any valid sanitization libraries. Also, set the character encodings for each page you output, which will reduce exposure to some variants." This metric ensures that the appropriate output encoding (sanitization) is coded, as close as possible to user input method call, making security checking easier for all team members.

Violation Code Sample

JSP Example: JSP code segment reads an employee ID, eid, from an HTTP request and displays it to the user. <% String eid = request.getParameter("eid"); %> ... ... Employee ID: <%= eid %> ... .... ASP Example : ASP.NET code segment reads an employee ID number from an HTTP request and displays it to the user. <% protected System.Web.UI.WebControls.TextBox Login; protected System.Web.UI.WebControls.Label EmployeeID; ... ... EmployeeID.Text = Login.Text; %> <p><asp:label id="EmployeeID" runat="server" /></p> The code in this example operates correctly if the Employee ID variable contains only standard alphanumeric text. If it has a value that includes meta-characters or source code, then the code will be executed by the web browser as it displays the HTTP response.

Fixed Code Sample

JSP Example: <% String eid = request.getParameter("eid"); %> ... //Input validation is mandatory (Use Authorized Santization) Employee ID: <%= eid %>

Reference

http://cwe.mitre.org/data/definitions/79.html CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') http://cwe.mitre.org/data/definitions/79.html Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Top_10_2007 CISQ rule: ASCSM-CWE-79. 2011 Top 25 - Insecure Interaction Between Components OWASP Top Ten 2017 Category A7 - Cross-Site Scripting (XSS) OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS) OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS)

Related Technologies

Health Factor

Security

Technical Criterion
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Select from drop-down

96.87%

Software ISV

98.20%

Government

97.32%

Want more stats? Register now!