Cross-site scripting reflecting vulnerability

The CS.XSS.REFLECT checker flags instance of code where input is provided by data directly from the HTTP request, that is then reflected/displayed to the user and executed by the web browser.

Vulnerability and risk

A Cross-site scripting (XSS) attack is a type of attack in which software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

XSS vulnerabilities occur when:

  1. Untrusted data enters a web application, typically from a web request.
  2. The web application dynamically generates a web page that contains this untrusted data.
  3. During page generation, the application does not prevent the data from containing content that is executable by a web browser, such as JavaScript, HTML tags, HTML attributes, mouse events, Flash, ActiveX, etc.
  4. By using a web browser, a victim visits the generated web page that contains the malicious script that was injected using the untrusted data.
  5. Because the script comes from a web page that was sent by the web server, the victim's web browser executes the malicious script in the context of the web server's domain.
  6. This effectively violates the intention of the web browser's same-origin policy, which states that scripts in one domain should not be able to access resources or run code in a different domain.

There are three main kinds of XSS:

  • Type 1: Reflected XSS (or non-persistent)
  • Type 2: Stored XSS (or persistent)
  • Type 0: DOM-Based XSS

The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser.

Mitigation and prevention

To prevent XSS attacks, neutralize all user-controllable input before placing that data in output that is used as a web page.

Vulnerable code example

  protected void Page_Load(object sender, EventArgs e)
      string reqStr = Request.QueryString["id"];
      MyLabel.Text = "From get string: " +   reqStr;       // CS.XSS.REFLECT

In this example, Klocwork reports a defect at line number 4, indicating, "Unvalidated XSS string 'reqStr' is received from 'get_QueryString()' at line 3. This is being written to stdout through call to 'get_Text()' at line 4. This allows for a cross-site scripting vulnerability.

Fixed code example

  protected void Page_Load(object sender, EventArgs e)
      string reqStr = Request.QueryString["id"];
      MySafeLabel.Text = "From get string: " + Server.HtmlEncode( reqStr );  // no defect as Server.HtmlEncode() sanitizes the data

Related checkers

Security training

Application security training materials provided by Secure Code Warrior.