Stored Cross-Site Scripting

The web application stores malicious data in a long-term storage, typically a server-side database. This malicious code is then included in the HTTP response from the server to the client, either to the same client or a different one. The client receives the response and trusts the content, unknowingly interpreting the malicious code as trustworthy. This dangerous data can later be incorporated into dynamic content. Consequently, an attacker gains the ability to perform any actions that a victim user can on the client side, including accessing cookies, session tokens, and other sensitive information.

This vulnerability allows an attacker to:

• Execute unauthorized code or commands
• Bypass protection mechanism
• Read the application data
• Deface the application

The issue can be found in the source code on the server side.

Since the information is returned from the server-side, the most effective solution is to prevent dangerous data from being created on the server.
The general recommendations are the following:

• Treat all user input as untrusted. All user inputs should be strictly filtered and precisely validated (whitelist approach).
• Encode the output data to prevent it from being interpreted as active content. Use the appropriate encoding technique depending on where the user input is to be used: HTML, URL, JavaScript, or CSS encoding. A common mistake is to use HTML entity encoding everywhere. It is important to understand that HTML entity encoding protects you from injections inside the body of the HTML document (line <div> tag). But it doesn't work if you put untrusted data inside the <script> tag anywhere, or an event handler attribute like onmouseover, or inside CSS, or in a URL. You must use the encode syntax, which is suitable for the part of the HTML document you are putting untrusted data into. To make sure that these rules are properly implemented, we recommend using a security-focused encoding library, for example:
  • Java: OWASP Java Encoder
  • .NET: AntiXssEncoder Class

• CWE-79
• CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

• https://cwe.mitre.org/data/definitions/79.html
• https://www.owasp.org/index.php/Cross-siteScripting(XSS)
• https://brightsec.com/blog/cross-site-scripting-xss//
• https://brightsec.com/blog/xss/
• https://brightsec.com/blog/cross-site-scirpting-prevention/