Secure Code Review (SCR): A3 Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications. It allows attackers…

Cross-Site Scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications. It allows attackers to inject malicious scripts into web pages viewed by other users, leading to a range of potential attacks such as stealing user sessions, defacing websites, or redirecting the user to malicious sites. In this blog post, we will delve into the details of XSS vulnerabilities, how to identify them during a secure code review, and what measures can be taken to prevent them.

Understanding Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) attacks occur when an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS vulnerabilities enable attackers to inject malicious scripts into web pages viewed by other users.

XSS attacks can be classified into three types:

  1. Stored XSS: The application stores user input that is later viewed and executed by other users. This type of XSS vulnerability is also called Persistent or Type-I XSS.
  2. Reflected XSS: The application includes user input as part of an immediate response to a user’s request. This user input is then executed by the user’s browser. This type of XSS vulnerability is also called Non-Persistent or Type-II XSS.
  3. DOM-based XSS: The application writes user input to the Document Object Model (DOM). The web page then reads the data from the DOM and outputs it in an unsafe way. This type of XSS vulnerability is also called Type-0 XSS.

Identifying Cross-Site Scripting (XSS) in Code Review

During a secure code review, the primary goal is to identify places in the code where the application includes untrusted data in a web page. Here are some things to look for:

  1. Data validation and sanitization: If the application does not properly validate or sanitize user input before including it in a web page, it’s a potential XSS vulnerability.
  2. Use of unsafe APIs: If the application uses APIs that can create HTML or JavaScript, such as document.write or innerHTML, without properly escaping user input, it's a potential XSS vulnerability.
  3. Lack of output encoding: If the application does not properly encode user input before including it in a web page, it’s a potential XSS vulnerability.

Checklist for Secure Code Review against Cross-Site Scripting (XSS)

Here is a checklist to follow when performing a secure code review to identify XSS vulnerabilities:

  1. Identify all points in the code where the application includes user input in a web page.
  2. Check if the application properly validates or sanitizes user input before including it in a web page.
  3. Check if the application uses unsafe APIs without properly escaping user input.
  4. Check if the application properly encodes user input before including it in a web page.

Preventing Cross-Site Scripting (XSS)

Preventing XSS vulnerabilities involves proper design and coding practices. Here are some measures that can be taken:

  1. Data validation and sanitization: Always validate and sanitize user input before including it in a web page. Use a secure allow-list of acceptable inputs.
  2. Safe use of APIs: Avoid using APIs that can create HTML or JavaScript unless absolutely necessary. If you must use them, always properly escape user input.
  3. Output encoding: Always encode user input before including it in a web page. Use the appropriate encoding scheme for the context in which the data will be used (e.g., HTML encoding, JavaScript encoding).

In conclusion, XSS is a serious threat to application security, but it can be effectively mitigated with proper coding and design practices. A thorough secure code review is a crucial step in identifying and fixing these vulnerabilities before the application goes into production.


References:

  1. https://owasp.org/www-project-code-review-guide/assets/OWASP_Code_Review_Guide_v2.pdf