Skip to main content

Server side cross-site scripting

Description

It is possible to inject JavaScript into application fields, with the goal of having the server execute malicious code before rendering user input. This allows a remote attacker to compromise internal server files, make requests on behalf of the server or perform a port scan.

Impact

  • Extracting information from the server. - Execute actions on the server or on behalf of the server.

Recommendation

Properly sanitize user input, before executing it on the server side.

Threat

Unprivileged attacker from the internet impersonating the application.

Expected Remediation Time

⌚ 45 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: C
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: H
  • Remediation level: U
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:H/RL:U/RC:R
  • Score:
    • Base: 5.0
    • Temporal: 4.8
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application defines parameters and limitations for input information.

class ContactController {
/**
* @input("name", type = "string", singleLine = true, required = false)
* @input("email", type = "email")
* @input("subject", type = "string", alternatives = ['Subject A', 'Subject B', 'Subject C'])
* @input("message", type = "string", range = [4,])
*/
public function post(Inputs $inputs){
//Validates inputs and throw error when they are not included in the allowed and pre defined lists values
}
}

class ContactForm extends sfFormX {
public function configure(InputsMeta $inputs){
//Bind the form to the input list of the @[email protected]
//throws error when the @[email protected]@input is not defined for a widget
$this->addWidgets(
new sfWidgetFormInput($inputs->name),
new sfWidgetFormInput($inputs->email),
new sfWidgetFormSelect($inputs->subject),
new sfWidgetFormTextarea($inputs->message)
);
$this->widgetSchema->setNameFormat('contact[%s]');
}
}

Non compliant code

There are some clases in the applicatin that do not have any validation for the inputs

class ContactForm{
public function configure(InputsMeta $inputs){
addWidgets(
new sfWidgetFormInput($inputs->name),
new sfWidgetFormInput($inputs->email),
new sfWidgetFormSelect($inputs->subject),
new sfWidgetFormTextarea($inputs->message)
);
}
}

Requirements

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.