XSS Attacks

code analysis

Code Example:
$name = $_GET["name"];
echo "Welcome $name"; // Noncompliant
Compliant Solution:
$name = $_GET["name"];
$safename = htmlspecialchars($name);
echo "Welcome $safename";
Noncompliant Code Example :templates/xss_shared.html

<!doctype html>
<title>Hello from Flask</title>
{% if name %}
<h1>Hello {{ name }}!</h1>
{% else %}
<h1>Hello, World!</h1>
{% endif %}

xss.py

@xss.route('/insecure/no_template_engine_replace', methods =['GET'])
def no_template_engine_replace():
param = request.args.get('param', 'not set')

html = open('templates/xss_shared.html').read()
response = make_response(html.replace('{{ name }}', param)) # Noncompliant: param is not sanitized
return response
compliant Solution:templates/xss_shared.html

<!doctype html>
<title>Hello from Flask</title>
{% if name %}
<h1>Hello {{ name }}!</h1>
{% else %}
<h1>Hello, World!</h1>
{% endif %}

xss.py

@xss.route('/secure/no_template_engine_sanitized_Markup_escape', methods =['GET'])
def no_template_engine_sanitized_Markup_escape():
param = request.args.get('param', 'not set')

param = Markup.escape(param)

html = open('templates/xss_shared.html').read()
response = make_response(html.replace('{{ name }}', param )) # Compliant: 'param' is sanitized by Markup.escape
return response
Noncompliant Code Example:protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String name = req.getParameter("name");
PrintWriter out = resp.getWriter();
out.write("Hello " + name); // Noncompliant
}
Compliant Solution:protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String name = req.getParameter("name");
String encodedName = org.owasp.encoder.Encode.forHtml(name);
PrintWriter out = resp.getWriter();
out.write("Hello " + encodedName);
}

This site explains the vulnerability in detail with challenges

XSS Bug Bounty Reports

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store