Stored Cross-Site Scripting

The application stores malicious data in a long time storage (usually a database on the server side). The malicious code is returned to the client as part of the HTTP response from the server (to the same or different client/user), and the client interprets it as trustworthy. The dangerous data can be later included in dynamic content. As a result, an attacker can do anything that a victim (user) can on the client side (access any cookies, session tokens and other).

This vulnerability allows an attacker to:

• Execute unauthorized code or commands
• Bypass protection mechanism
• Read the application data
• Deface the application

The issue can be found in the source code on the server side.

Since the information is returned from the server-side, the most effective solution is to prevent dangerous data from being created on the server.
The general recommendations are the following:

• Treat all user input as untrusted. All user inputs should be strictly filtered and precisely validated (whitelist approach).
• Encode the output data to prevent it from being interpreted as active content. Use the appropriate encoding technique depending on where the user input is to be used: HTML, URL, JavaScript, or CSS encoding. A common mistake is to use HTML entity encoding everywhere. It is important to understand that HTML entity encoding protects you from injections inside the body of the HTML document (line <div> tag). But it doesn't work if you put untrusted data inside the <script> tag anywhere, or an event handler attribute like onmouseover, or inside CSS, or in a URL. You MUST use the encode syntax, which is suitable for the part of the HTML document you are putting untrusted data into. To make sure that these rules are properly implemented, we recommend using a security-focused encoding library, for example:
  • Java: OWASP Java Encoder
  • .NET: AntiXssEncoder Class

• CWE-79
• CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

• https://cwe.mitre.org/data/definitions/79.html
• https://www.owasp.org/index.php/Cross-siteScripting(XSS)
• https://brightsec.com/blog/cross-site-scripting-xss//
• https://brightsec.com/blog/xss/
• https://brightsec.com/blog/cross-site-scirpting-prevention/