Search Bar contains Reflected Cross-Site Scripting

Search-bar contains Reflected Cross-Site Scripting

The search-bar that functions as a product filter is vulnerable to XSS since it does not perform any validation nor sanitization on users’ input. An example of exploitation of this vulnerability is shown below,

As illustrated above, since the application doesn’t perform any processing of the data, an attacker can construct a basic XSS payload like this,

</script><script>alert(‘s1nj0r0’)<script>

triggering cross-site scripting. In other words, the malicious input is injected in the HTML opening a script tag with an alert method. As shown, the alert was triggered confirming that the code is vulnerable.

Exploitation and Mitigation

The following figure illustrates the vulnerable code. The user-supplied data is passed directly through an @Html.Raw which allows outputting text containing HTML elements to the client, and have them still be rendered as such i.e., will allow the execution of any script that is on the value to display, exposing SimplCommerce to cross-site scripting.

Index.cshtml

How should I fix it?

Sanitizing the user-supplied data is the key to avoid XSS. Moreover, @Html.Raw is just a tool but if you are displaying user-supplied data it is better to use another method such as @Html.Encode(). However, @Html.Encode() does not cover all XSS attacks.

Useful Links

Cross Site Scripting (XSS) Software Attack | OWASP Foundation