Stored Cross-Site Scripting

Severity: High
Test name: Stored-Site Scripting (XSS)
Test ID: xss
Summary

The web application inadvertently stores harmful data within its long-term, server-side database. This malicious code is subsequently embedded in the server's HTTP response to the client, which may be the initial user or a different one. The client, assuming the integrity of the content, unknowingly processes this malevolent code as if it were legitimate. This hazardous data may be integrated into dynamic content later on. As a result, an attacker can execute actions on the client side that are normally reserved for the victim user, such as retrieving cookies, session tokens, and other critical information.

Impact

This vulnerability allows an attacker to:

  • Execute unauthorized code or commands
  • Bypass protection mechanism
  • Read the application data
  • Deface the application
Location

The issue can be found in the source code on the server side.

Remedy suggestions

Given that the compromised information originates from the server-side, the most effective countermeasure is to prevent the generation of hazardous data on the server. Here are key strategies to enhance security:

  • Consider all user input as potentially unsafe. Implement stringent filtering and precise validation of user inputs using a whitelist approach.
  • Encode output data to inhibit its interpretation as executable content. Employ specific encoding techniques tailored to the context in which the user input will be utilized, such as HTML, URL, JavaScript, or CSS encoding. A prevalent error involves applying HTML entity encoding universally. It's crucial to recognize that while HTML entity encoding offers protection against injections within the main body of an HTML document (like within a <div> tag), it is ineffective for untrusted data placed inside a <script> tag, event handler attributes (e.g., onmouseover), CSS, or URLs. Therefore, it is vital to apply encoding syntax that matches the segment of the HTML document where the untrusted data is inserted. To make sure that these rules are properly implemented, we recommend using a security-focused encoding library, for example:
  • Java: OWASP Java Encoder
  • .NET: AntiXssEncoder Class
Classifications
  • CWE-79
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
References