CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Weakness ID: 80 (Weakness Variant)
Status: Incomplete
Description
Description Summary
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Extended Description
This may allow such characters to be treated as control characters, which are executed client-side in the context of the user's session. Although this can be classified as an injection problem, the more pertinent issue is the improper conversion of such special characters to respective context-appropriate entities before displaying them to the user.
Time of Introduction
Implementation
Applicable Platforms
Languages
All
Common Consequences
Scope
Effect
Confidentiality
Integrity
Availability
Technical Impact: Read application
data; Execute unauthorized code or
commands
Likelihood of Exploit
High to Very High
Demonstrative Examples
Example 1
In the following example, a guestbook comment isn't properly
encoded, filtered, or otherwise neutralized for script-related tags before
being displayed in a client browser.
(Bad Code)
Example
Language: JSP
<% for (Iterator i = guestbook.iterator(); i.hasNext(); )
{
Carefully check each input parameter against a rigorous positive
specification (white list) defining the specific characters and format
allowed. All input should be neutralized, not just parameters that the
user is supposed to specify, but all data in the request, including
hidden fields, cookies, headers, the URL itself, and so forth. A common
mistake that leads to continuing XSS vulnerabilities is to validate only
fields that are expected to be redisplayed by the site. We often
encounter data from the request that is reflected by the application
server or the application that the development team did not anticipate.
Also, a field that is not currently reflected may be used by a future
developer. Therefore, validating ALL parts of the HTTP request is
recommended.
Phase: Implementation
Strategy: Output Encoding
For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.
With Struts, you should write all data from form beans with the bean's
filter attribute set to true.
Phase: Implementation
Strategy: Identify and Reduce Attack Surface
To help mitigate XSS attacks against the user's session cookie, set
the session cookie to be HttpOnly. In browsers that support the HttpOnly
feature (such as more recent versions of Internet Explorer and Firefox),
this attribute can prevent the user's session cookie from being
accessible to malicious client-side scripts that use document.cookie.
This is not a complete solution, since HttpOnly is not supported by all
browsers. More importantly, XMLHTTPRequest and other powerful browser
technologies provide read access to HTTP headers, including the
Set-Cookie header in which the HttpOnly flag is set.
Effectiveness: Defense in Depth
Weakness Ordinalities
Ordinality
Description
Primary
(where
the weakness exists independent of other weaknesses)
Description
