Cross-site scripting protection disabled

javascript.xss_protection_disabled

Severity

high

Resource

Misconfiguration

Language

JavaScript

Description

Cross-Site Scripting (XSS) vulnerabilities occur when untrusted input is improperly sanitized, allowing attackers to inject malicious scripts into web pages.

Web / template frameworks can provide some protection against XSS, but this protection can be disabled. The detector reports where the framework configuration disables XSS protection.

Rationale

Disabling XSS protection exacerbates this risk by removing browser or application-level defenses designed to mitigate such attacks. XSS vulnerabilities can occur if output encoding is disabled in web frameworks or template engines that provide this feature against XSS attacks.

The following example shows how auto-escape protection is disabled in two popular JavaScript template engines (swig and nunjucks):

const swig = require("swig")
const nunjucks = require("nunjucks")

swig.setDefaults({autoescape: false}) // FLAW
nunjucks.configure('path', {autoescape: false}) // FLAW

Remediation

To mitigate the risk of XSS vulnerabilities in web applications, ensure the following strategies are implemented:

Enable XSS protection in framework / templating engines: Always configure escaping by default of HTML content appropriately. Only in certain cases should the default escaping be deactivated, ensuring that user input is validated or neutralized against XSS attacks.
Output encoding: Encode all user-supplied data that is included in HTML content to prevent the execution of malicious scripts. Use encoding libraries for HTML encoding appropriate for your environment.
Content Security Policy (CSP): Implement a robust Content Security Policy to help prevent XSS attacks by controlling resources the browser is allowed to load and execute.
Input validation: Validate inputs thoroughly, allowing only expected and acceptable data to reach different layers of your application.
Security testing: Regularly perform security testing, including SAST, DAST (Dynamic Application Security Testing), and penetration testing, to identify and address potential XSS vulnerabilities and other risks.

The old X-XSS-Protection header is deprecated on most modern browsers, as its functionality is flawed or incomplete for most but the most trivial XSS attacks. The header itself introduced new security issues, including cross-site information attacks.

By incorporating these preventive measures, web applications can significantly reduce the likelihood and impact of XSS attacks, safeguarding both the application and its users effectively.

To fix the previous example, do not disable the default auto-escape setting:

[source,javascript]

const swig = require("swig") const nunjucks = require("nunjucks")

swig.setDefaults({autoescape: true}) // FIXED nunjucks.configure('path', {autoescape: true}) // FIXED

Configuration

The detector has no specific configurable parameters.

References

CWE-79 : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
OWASP Top 10 2021 - A03 : Injection.
OWASP Cross Site Scripting Prevention Cheat Sheet