Reflected cross-site scripting (XSS)
Need
Implementation of input validation and output encoding to prevent the execution of malicious scripts
Context
- Usage of Go 1.16 for developing high-performance and scalable applications
- Usage of Gin framework for building web applications in Go
Description
Non compliant code
package main
import (
"github.com/gin-gonic/gin"
)
func main() {
r := gin.Default()
r.GET("/search", func(c *gin.Context) {
query := c.Query("q") // This is where the vulnerability lies
c.String(200, "Search Results: "+query)
})
r.Run()
}
In the code above, the application is using the Gin web framework for Go. It sets up a GET route at "/search" that takes a query parameter "q" and directly outputs it in the response.
The vulnerability lies in the line query := c.Query("q"). The application takes the user's input directly from the query parameter "q" and uses it in the response without any sanitization or encoding. This is a classic case of Reflected Cross-Site Scripting (XSS) where untrusted user input is directly included in the webpage without proper validation or escaping.
This means that an attacker could send a link to a victim with a malicious script in the "q" parameter. If the victim clicks on the link, the script will execute in the victim's browser, and the attacker can potentially steal sensitive information such as session cookies, tokens, etc.
To prevent this type of vulnerability, the application should always validate and sanitize user input and escape any output that is included in the webpage.
Steps
- Validate and sanitize user input before using it in dynamic content generation.
- Use proper output encoding to prevent the execution of malicious scripts.
- Implement Content Security Policy (CSP) to restrict the sources of content that can be loaded by the application.
- Enable XSS protection mechanisms provided by the framework or web server.
- Regularly update the framework and dependencies to ensure the latest security patches are applied.
Compliant code
package main
import (
"github.com/gin-gonic/gin"
"net/url"
)
func main() {
r := gin.Default()
r.GET("/search", func(c *gin.Context) {
query := c.Query("q") // This is where the vulnerability lies
safeQuery := url.QueryEscape(query)
c.String(200, "Search Results: "+safeQuery)
})
r.Run()
}
The original code was vulnerable to Reflected Cross-Site Scripting (XSS) attacks. This is because it directly used the user input from the query parameter q in the response without any validation or sanitization. An attacker could exploit this by sending a URL with a malicious script in the q parameter to a victim. When the victim clicks on the URL, the malicious script would be executed in the victim's browser.
The fixed code mitigates this vulnerability by using the url.QueryEscape function from Go's net/url package to sanitize the user input. This function replaces special characters in the query string with their percent-encoded equivalents, effectively preventing any scripts from being executed.
However, this is just one layer of defense. For a more comprehensive protection against XSS attacks, consider implementing Content Security Policy (CSP) to restrict the sources of content that can be loaded by the application, enabling XSS protection mechanisms provided by the framework or web server, and regularly updating the framework and dependencies to ensure the latest security patches are applied.