The application must protect from Cross-Site Scripting (XSS) vulnerabilities.
An XCCDF Rule
Description
<VulnDiscussion>XSS attacks are essentially code injection attacks against the various language interpreters contained within the browser. XSS can be executed via HTML, JavaScript, VBScript, ActiveX; essentially any scripting language a browser is capable of processing. XSS vulnerabilities are created when a website does not properly sanitize, escape, or encode user input. For example, "<" is the HTML encoding for the "<" character. If the encoding is performed, the script code will not execute. There are 3 parties involved in an XSS attack, the attacker, the trusted and vulnerable website, and the victim. An attacker will take advantage of a vulnerable website that does not properly validate user input by inserting malicious code into any data entry field. When the victim visits the trusted website and clicks on the malicious link left by the attacker, the attacker’s script is executed in the victims browser with the trust permissions assigned to the site. There are several different types of XSS attack and the complete details regarding XSS cannot be described completely here. To address the issue of XSS, web application developers must escape, encode or otherwise validate all user input that is processed and output by the web server. They should also use web templates or a web development framework that provides the capability to encode or otherwise validate user input. Examples of XSS vulnerabilities can be obtained from the Open Web Application Security Project (OWASP) website. The site is available by pointing your browser to https://www.owasp.org.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-222602r879652_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Verify user input is validated and encode or escape user input to prevent embedded script code from executing.
Develop your application using a web template system or a web application development framework that provides auto escaping features rather than building your own escape logic.