This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Top 10-2017 A7-Cross-Site Scripting (XSS)"
(Prepare OWASP Top 10-2017 Release (Content)) |
m (Editorial changes e.g. line feeds, added and fixed a link) |
||
Line 24: | Line 24: | ||
<td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}> | <td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}> | ||
<!--- Security Weakness: ---> | <!--- Security Weakness: ---> | ||
− | XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two thirds of all applications. Automated tools can find some XSS problems automatically, particularly in mature technologies such as PHP, J2EE / JSP, and ASP.NET. </td> | + | XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two thirds of all applications.<br/>Automated tools can find some XSS problems automatically, particularly in mature technologies such as PHP, J2EE / JSP, and ASP.NET. </td> |
<td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}> | <td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}> | ||
<!--- Impacts: ---> | <!--- Impacts: ---> | ||
Line 41: | Line 41: | ||
Preventing XSS requires separation of untrusted data from active browser content. This can be achieved by: | Preventing XSS requires separation of untrusted data from active browser content. This can be achieved by: | ||
* Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework's XSS protection and appropriately handle the use cases which are not covered. | * Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework's XSS protection and appropriately handle the use cases which are not covered. | ||
− | * Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. The <u>[[XSS_(Cross_Site_Scripting|OWASP | + | * Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. The <u>[[XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet|OWASP Cheat Sheet 'XSS Prevention']]</u> has details on the required data escaping techniques. |
− | * Applying context-sensitive encoding when modifying the browser document on the client side acts against DOM XSS. When this cannot be avoided, similar context sensitive escaping techniques can be applied to browser APIs as described in | + | * Applying context-sensitive encoding when modifying the browser document on the client side acts against DOM XSS. When this cannot be avoided, similar context sensitive escaping techniques can be applied to browser APIs as described in the <u>[[DOM_based_XSS_Prevention_Cheat_Sheet|OWASP Cheat Sheet 'DOM based XSS Prevention']]. |
* Enabling a <u>[https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content Security Policy (CSP)]</u> as a defense-in-depth mitigating control against XSS. It is effective if no other vulnerabilities exist that would allow placing malicious code via local file includes (e.g. path traversal overwrites or vulnerable libraries from permitted content delivery networks). | * Enabling a <u>[https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content Security Policy (CSP)]</u> as a defense-in-depth mitigating control against XSS. It is effective if no other vulnerabilities exist that would allow placing malicious code via local file includes (e.g. path traversal overwrites or vulnerable libraries from permitted content delivery networks). | ||
Latest revision as of 16:49, 1 January 2018
Threat Agents / Attack Vectors | Security Weakness | Impacts | |||
---|---|---|---|---|---|
App Specific | Exploitability: 3 |
Prevalence: 3 |
Detectability: 3 |
Technical: 2 |
Business ? |
Automated tools can detect and exploit all three forms of XSS, and there are freely available exploitation frameworks. |
XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two thirds of all applications. Automated tools can find some XSS problems automatically, particularly in mature technologies such as PHP, J2EE / JSP, and ASP.NET. |
The impact of XSS is moderate for reflected and DOM XSS, and severe for stored XSS, with remote code execution on the victim's browser, such as stealing credentials, sessions, or delivering malware to the victim. |
Is the Application Vulnerable?
There are three forms of XSS, usually targeting users' browsers:
Typical XSS attacks include session stealing, account takeover, MFA bypass, DOM node replacement or defacement (such as trojan login panels), attacks against the user's browser such as malicious software downloads, key logging, and other client-side attacks. |
How to Prevent
Preventing XSS requires separation of untrusted data from active browser content. This can be achieved by:
|
Example Attack Scenarios
Scenario #1: The application uses untrusted data in the construction of the following HTML snippet without validation or escaping: (String) page += "<input name='creditcard' type='TEXT' The attacker modifies the ‘CC’ parameter in the browser to: '><script>document.location= This attack causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session. Note: Attackers can use XSS to defeat any automated Cross-Site Request Forgery (CSRF) defense the application might employ. |
References
OWASP
External |