XSS value in input tags
I am looking for some guidance on how to protect my code from vulnerabilities. Below are the two lines I have questions for.
<input type="hidden" name="criteria" value="" />
<input type="hidden" name="search" value="0" />
The code was scanned with the IBM App Scan application and the results came back so that the test was able to enter script (XSS) in the criteria and search parameter. I found some examples of this online test (inside a tag) but didn't find a solid solution. Based on this information, what would be the simplest way to misinform values ββto prevent XSS?
source to share
You are looking at the wrong end of the problem. What you showed us is simply that you have a form with fields of some form. It's not a problem.
What is the problem: if there is a form ... there must be a submission form. And you will have some kind of process that will receive the form submission and do something with it. The "do something about it" part should probably "sanitize it from XSS injection".
How you deal with this depends on why you are being tested, and how strongly they require you to guard such things.
The simplest first thing is to enable "Enable Global Script Protection" in the settings in CFAdmin. It's just a checkbox. I don't know how complete or well implemented this is, but it might be all you need to calm your audit down.
Second ... your WAF should automatically block things like this. If you don't have WAF, get it. Foundeo do FuseGuard , which I have never used, but expect it to be very good as the Foundeo faders know what they are doing and it is also a CFML specific solution.
Third: provide your code. This can be as simple as intercepting all incoming forms, URLs, CGI and cookie values ββand ensuring they are not present in the XSS vectors. The main level here is to disallow anything with blocks <script>
being passed to your application. However, what you need to do is more complete than this and is outside the scope of StackOverflow Q&A. Go take a look at what OWASP bots have to do about XSS mitigation. Start here: Cross Site Scripting (XSS) .
If you're going to be PCI compliant, you probably have to do all three. Even if one of the first two should be ok. PCI is not about being smart, it's about PCI auditors extorting money from you. So, you kindly agree with what they say.
source to share