How to fix Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) with error message?

StackOverflow https://stackoverflow.com/questions/21912509

  •  14-10-2022
  •  | 
  •  

Question

We use web control adapter in our login page. Recently we run VeraCode on our web application. In following function, we got CWE80, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS), on the line 

rev.ErrorMessage = msg;

Following is the function in the WebControlAdapterExtender class.

static public void WriteRegularExpressionValidator(HtmlTextWriter writer, RegularExpressionValidator rev, string className, string controlToValidate, string msg, string expression)
        {
            if (rev != null)
            {
                rev.CssClass = className;
                rev.ControlToValidate = controlToValidate;
                rev.ErrorMessage = msg;
                rev.ValidationExpression = expression;
                rev.RenderControl(writer);
            }
        }

Does anyone have any suggestion how to fix this?

Était-ce utile?

La solution

The problem is that 'msg' is being passed down to your function, but there is no neutralization of this before it gets used - the string gets uses 'as-is' so could contain scripts that cause harm. There is a good description explaining this and why it is a problem: http://www.veracode.com/images/pdf/top5mostprevalent.pdf

I've not used this myself, but I think ErrorMessage gets rendered and displayed in the event of an error. Because this will get rendered on the final page if 'msg' was a naughty snippet of code you are exposing yourself and your users to a security vulnerability.

Have a read of the tips on this cheat sheet: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

You should be able to use HtmlEncode to make this safe HttpUtility.HtmlEncode(unencoded);

rev.ErrorMessage = System.web.HttpUtility.HtmlEncode(msg);

Autres conseils

You can also use Apache Commons Lang3 library StringEscapeUtils. It has various methods for encoding the strings. e.g. escapeXml(string), escapeHtml(string) etc.

rev.ErrorMessage = StringEscapeUtils.escapeHtml(msg);

VeraCode lists Supported Cleansing Functions, including those CWE IDs that each function addresses.

A function call contains an HTTP response splitting flaw. Writing unsanitized user-supplied input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and crosssite scripting attacks.

Issue Code

strMessage=CLASSCONSTANTNAME+className+MESSAGENAME+message; LOGGER.info(strMessage);

Fixed Code

strMessage=CLASSCONSTANTNAME+className+MESSAGENAME+message; LOGGER.info(ESAPI.encoder().encodeForHTML(strMessage));

moredetail

You can use ESAPI library to fix this.

rev.ErrorMessage = ESAPI.encoder().encodeForHTML(msg);
Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top