C-sharp : XSS due to insufficient validation
Classification
Overview
The application uses encoding that is insufficient for preventing the execution of malicious code in the client browser.
The use of certain types of encoding (HTML, XML) prevents only some XSS attack. Typically, the encoding replaces the characters “<”, “>”, “&”, “ ‘ “. But depending on the context other characters also can acquire a special meaning. An attacker can exploit this to execute malicious code in the browser (cross-site scripting or XSS).
In addition to the JavaScript language, HTML, Flash, and other appropriate languages are used to write malicious code designed to run in the browser. XSS attacks may pursue different goals, in particular, to transfer victim’s session data (cookies, session ID, and so on) to the third-party server and to redirect the victim to a malicious site.
The same applies to mobile applications, if JavaScript is not disabled in WebView.
References
- OWASP Top 10 2013-A3-Cross-Site Scripting (XSS)
- CWE-82: Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
- CWE-83: Improper Neutralization of Script in Attributes in a Web Page
- CWE-87: Improper Neutralization of Alternate XSS Syntax
- CWE-692: Incomplete Blacklist to Cross-Site Scripting
- OWASP: XSS Prevention Cheat Sheet
- OWASP Top 10-2017 A7-Cross-Site Scripting (XSS)
- CWE-79
- CWE CATEGORY: OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure
- CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- CWE-81: Improper Neutralization of Script in an Error Message Web Page
- Preventing Cross-site Scripting In PHP