Cross-site Scripting Vulnerability

This checker reports potential cross-site scripting issues for CGI scripts (web servers that use a Common Gateway Interface). In particular, this checker reports a defect whenever a tainted string, received from the QUERY_STRING environment variable, through call to the getenv() function, is passed to a function that writes it to the stdout stream.

Vulnerability and risk

Cross-site scripting (XSS) is a type of web application security vulnerability. Cross-site scripting attacks enable attackers to inject scripts coming from a different site into legitimate web pages. In a web server program, passing the HTTP request directly to the web page is a potential for the reflected use case scenario of cross-site scripting vulnerability.

Mitigation and prevention

Mitigating reflected cross-site scripting issues depends on where on the generated HTML page the untrusted data is inserted. In general, using escaping the untrusted data works well for HTML Element content (similar to the fixed example in this documentation). However, for more complete information on how to prevent cross-site scripting, see the OWASP documentation.

Vulnerable code example

1   #include <iostream>
2   #include <string>
3   using namespace std;
4   void vulnerableServer() {
5      string query = getenv("QUERY_STRING");
6      cout << "Viewing query ";
7      cout << query << endl;    
8   }

In the above example, an attacker can insert a script in the query that, when displayed on the web page, starts running and can collect sensitive information from the system.

Klocwork produces a SV.TAINTED.XSS.REFLECTED defect at line 7, indicating that “Unvalidated string 'query' is received from the QUERY_STRING environment variable through a call to 'getenv' at line 5 that is being written to stdout through 'cout' at line 7. This allows for a cross-site scripting vulnerability.”

Fixed code example

1   #include <iostream>
2   #include <string>
3   using namespace std;
4   string validate(string &query);
5   void secureServer() {
6      string query = getenv("QUERY_STRING");
7      cout << "Viewing query ";
8      string validated_query = validate(query);
9      cout << validated_query << endl;    
10  }

In this example, the checker will not report the defect SV.TAINTED.XSS.REFLECTED because the tainted string ‘query’ has been validated at line 8. The function validate() at line 8 is a custom-implemented function (the prototype is at line 4) that escapes special characters in the query string to prevent cross-site scripting from occurring. This is a simple way to remove the potential for cross-site scripting.

Security training

Application security training materials provided by Secure Code Warrior.


This checker can be extended through the Klocwork knowledge base to
  • specify functions that clean the query string by using the specification field TSCheckXSS
  • specify functions that can write to the stdout stream by using the specification field TSSinkXSS
See Tuning C/C++ analysis for more information.