Categoria: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Reportado por: Rodrigo Reginato
Projeto: reginato/school-system-test
Criticidade:
Impacto: Alto
Probabilidade: Alto
Criticidade: Crítico
Padrões: [2013] A3 – Cross-Site Scripting (XSS), CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Descrição: The vulnerability of Cross-Site Scripting (XSS) could allow an attacker to get sensitive information from the web application. This flaw could permit the unauthorized access of an attacker. The exploitation of a XSS flaw is made after the injection of malicious code in the scope of application, doing that, the legitimate user executes this malicious code, sending back to the attacker sensitive information like cookies.
Descrição do Impacto: Aguardando preenchimento
Solução: The first step in order to mitigate the problems of XSS is to identify all points of the application where user supplied data is used in the construction of response pages. This identification procedure should include not only the points where data from a particular request are copied directly to the response pages, but must also consider any point where the data supplied by the user is persisted by the application to be shown later, this happens, for example, with the information from the submission of a registration form.
It is recommended that validation that govern the data flow input to be made based on the context of the information being received, for example, numeric fields should receive strictly numeric characters, rejecting any different character set which the application expects. This same procedure should be followed for other form fields according to the information type they wish to accept in the application: names, e-mail, phones, among others. This goal can be achieved using regular expressions to filter out unwanted character sets considered based on the context of the information received.
With respect to the validation that follows the output stream of the application data when the information is actually used to build the answers, you should ensure that potentially malicious characters are replaced as proposed by the escape sequences defined in HTML. A well-defined set of HTML entities should be used to replace literal characters as follows:
char “ replaced by "
char ‘ replaced by '
char & replaced by &
char < replaced by <
char > replaced by >
In order to achieve excellence regarding the creation of filters, it is strongly recommended to adopt coding in HTML for any character not in the set of alphanumeric characters including whitespace (whitespace).
reginato
commented
3 years ago
ID: RGB_00003.002
Categoria: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Reportado por: Rodrigo Reginato
Projeto: reginato/school-system-test
Criticidade:
Impacto: Alto
Probabilidade: Alto
Criticidade: Crítico
Padrões: [2013] A3 – Cross-Site Scripting (XSS), CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Descrição: The vulnerability of Cross-Site Scripting (XSS) could allow an attacker to get sensitive information from the web application. This flaw could permit the unauthorized access of an attacker. The exploitation of a XSS flaw is made after the injection of malicious code in the scope of application, doing that, the legitimate user executes this malicious code, sending back to the attacker sensitive information like cookies.
Descrição do Impacto: Aguardando preenchimento
Solução: The first step in order to mitigate the problems of XSS is to identify all points of the application where user supplied data is used in the construction of response pages. This identification procedure should include not only the points where data from a particular request are copied directly to the response pages, but must also consider any point where the data supplied by the user is persisted by the application to be shown later, this happens, for example, with the information from the submission of a registration form. It is recommended that validation that govern the data flow input to be made based on the context of the information being received, for example, numeric fields should receive strictly numeric characters, rejecting any different character set which the application expects. This same procedure should be followed for other form fields according to the information type they wish to accept in the application: names, e-mail, phones, among others. This goal can be achieved using regular expressions to filter out unwanted character sets considered based on the context of the information received. With respect to the validation that follows the output stream of the application data when the information is actually used to build the answers, you should ensure that potentially malicious characters are replaced as proposed by the escape sequences defined in HTML. A well-defined set of HTML entities should be used to replace literal characters as follows: char “ replaced by " char ‘ replaced by ' char & replaced by & char < replaced by < char > replaced by > In order to achieve excellence regarding the creation of filters, it is strongly recommended to adopt coding in HTML for any character not in the set of alphanumeric characters including whitespace (whitespace).
Referência: https://www.owasp.org/index.php/XSS https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)Prevention_Cheat_Sheet https://www.owasp.org/index.php/Testing_for_Cross_site_scripting http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting http://www.youtube.com/watch?v=Z9RQSnf8-g
Tipo de falha:
Código:teste
Entrada de dados:teste
Saída de dados:teste
Defect Tracker: https://app.conviso.com.br/scopes/193/projects/2186