Cross-site scripting (XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable applications.
XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
An attacker can use XSS to send a malicious script to an unsuspecting user.
The end user browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
These scripts can even rewrite the content of the HTML page.
ID:T0119
Type:Technique
Tactic:Execution
Summary:Cross-site scripting
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1190
Mitigation
Mitigation Use framework security mechanisms Fewer XSS bugs appear in applications built with modern web frameworks.
These frameworks steer developers towards good security practices and help mitigate XSS by using templating, auto-escaping, and more. Understand how your framework prevents XSS and where it has gaps. There will be times where you need to do something outside the protection provided by your framework. This is where Output Encoding and HTML Sanitization are critical.
M1191
Mitigation
Mitigation Escape all user supplied input All user data controlled must be encoded when returned in the HTML page to prevent the execution of malicious data.
The type of encoding is specific to the context of the page where the user controlled data is inserted. For example, HTML entity encoding is appropriate for data placed into the HTML body. However, user data placed into a script would need JavaScript specific output encoding.
M1192
Mitigation
Mitigation Encode data output Output Encoding is recommended when you need to safely display data exactly as a user typed it in.
Variables should not be interpreted as code instead of text. Use default output encoding protection when you wish to display data as the user typed it in. Automatic encoding and escaping functions are built into most frameworks. If you are not using a framework or need to cover gaps in the framework then you should use an output encoding library. Each variable used in the user interface should be passed through an output encoding function.
M1193
Mitigation
Mitigation Use HTML sanitization HTML Sanitization will strip dangerous HTML from a variable and return a safe string of HTML.
OWASP recommends DOMPurify for HTML Sanitization.
M1194
Mitigation
Mitigation Use content security policy Set up CSP directives in order to protect against Cross-site scripting.
CSP headers used by the clients browser and protects the user from dynamic calls that will load content into the page currently being visited. A strong CSP provides an effective second layer of protection against various types of vulnerabilities, especially XSS. Although CSP doesn't prevent web applications from containing vulnerabilities, it can make those vulnerabilities significantly more difficult for an attacker to exploit.
M1883
Mitigation
Mitigation Implement Web Application Firewall A web application firewall (WAF) is a security control that is designed to protect web applications from various types of cyber threats, such as web-based attacks, including Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF), and other application-layer attacks.
A WAF acts as a filter between a web application and the incoming requests from clients, such as web browsers or mobile apps. It examines the incoming requests and responses to and from the web application, and applies a set of predefined security rules to identify and block malicious requests or traffic.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1170
Detection
Detection Configure application audit logs to detect injection attacks Audit logs can help you to monitor application traffic in order to detect injection attacks.
Audit logs can be configured on multiple layers, for example you can enable access logging for a web server or use your custom application events. Monitor for SQL-like, javascript code, shell command constructions inside the application requests, also check for multiple error events in application logs. Create an allow-list of commands and monitor for the attempts of using the commands out of this list.
D1171
Detection
Mitigation Implement Web Application Firewall A web application firewall (WAF) is a security control that is designed to protect web applications from various types of cyber threats, such as web-based attacks, including Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF), and other application-layer attacks.
A WAF acts as a filter between a web application and the incoming requests from clients, such as web browsers or mobile apps. It examines the incoming requests and responses to and from the web application, and applies a set of predefined security rules to identify and block malicious requests or traffic.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
