The designer will ensure the application does not have cross site scripting (XSS) vulnerabilities.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16811	APP3580	SV-17811r1_rule	DCSQ-1	High

Description
XSS vulnerabilities exist when an attacker uses a trusted website to inject malicious scripts into applications with improperly validated input.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-17809r1_chk )
Ask the application representative for code review or scan results from the entire application. This can be provided as results from an automated code review or a vulnerability scanning tool. See section 5.4 of the Application Security and Development STIG for additional details. If the results are provided from a manual code review, the application representative will need to demonstrate how XSS vulnerabilities are identified during code reviews. 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify cross site scripting vulnerabilities, this is a CAT I finding. Perform query string manipulation testing to determine if the user bypasses access control functions to gain data that should be restricted based on the user's security level or role. For example, if a query string, such as www.testweb.mil/apppage.asp?xyz=113&asd=185, gives the user access to data for data identifier number 185. Try to resubmit the query string with another three digit number (e.g., 186) to see if that data is displayed. If this data can be displayed through reports or other access points in the application, this would not be considered a finding. 2) If data displayed in the query manipulation testing is above the user's security level or role, this is a CAT II finding. For script tag embedding, select a text field of the application that accepts at least 15 characters. Try to input a script tag (script) into the field. If the data is accepted without an error, access the data entered via the application (this process will vary depending upon the application). 3) If the script tag in its entirety is displayed within the application, this is a CAT II finding. Mitigate XSS vulnerabilities by using HTTP-only cookies. Examine any cookies used while the application is being executed. Verify the HttpOnly flag has been set for all cookies. 4) If the HttpOnly flag has not been set for all cookies, this is a CAT II finding. HttpOnly cookies are explained further at the Microsoft website: http://msdn.microsoft.com/en-us/library/ms533046.aspx Examples of XSS vulnerabilities can be obtained from the OWASP website.

Check Text ( C-17809r1_chk )

Ask the application representative for code review or scan results from the entire application. This can be provided as results from an automated code review or a vulnerability scanning tool. See section 5.4 of the Application Security and Development STIG for additional details.

If the results are provided from a manual code review, the application representative will need to demonstrate how XSS vulnerabilities are identified during code reviews.

1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify cross site scripting vulnerabilities, this is a CAT I finding.

Perform query string manipulation testing to determine if the user bypasses access control functions to gain data that should be restricted based on the user's security level or role. For example, if a query string, such as www.testweb.mil/apppage.asp?xyz=113&asd=185, gives the user access to data for data identifier number 185. Try to resubmit the query string with another three digit number (e.g., 186) to see if that data is displayed. If this data can be displayed through reports or other access points in the application, this would not be considered a finding.

2) If data displayed in the query manipulation testing is above the user's security level or role, this is a CAT II finding.

For script tag embedding, select a text field of the application that accepts at least 15 characters. Try to input a script tag (script) into the field. If the data is accepted without an error, access the data entered via the application (this process will vary depending upon the application).

3) If the script tag in its entirety is displayed within the application, this is a CAT II finding.

Mitigate XSS vulnerabilities by using HTTP-only cookies. Examine any cookies used while the application is being executed. Verify the HttpOnly flag has been set for all cookies.

4) If the HttpOnly flag has not been set for all cookies, this is a CAT II finding.

HttpOnly cookies are explained further at the Microsoft website:
http://msdn.microsoft.com/en-us/library/ms533046.aspx

Examples of XSS vulnerabilities can be obtained from the OWASP website.

Fix Text (F-17104r1_fix)
Modify the application to protect against cross site scripting attacks.