How Can fix Checkmarx report : "Reflected XSS All Clients"?

Question

I got repoprted 151 High rish "Reflected XSS All Clients" problems of my code. They all share the same patterns like below:

行114 153

source object:dtIn     destination object:SerializeObject
code snippet:
file name: /DEBT/DEBT/Controllers/DEBT440Controller.cs
method: ppublic string GetHistory(DataTableIn dtIn)
....
176. public string GetHistory(DataTableIn dtIn)
....
184. model = JsonConvert.DeserializeObject<DEBTM440Model>(dtIn.findJson);
....
189. var data = _service.Use(t => t.GetHistory(model));
The report said:
The method _service.Use embeds untrusted data in generated output with GetPage, at line 175 of
DEBT/DEBT/Controllers/DEBT047Controller.cs. This untrusted data is embedded into the output without
proper sanitization or encoding, enabling an attacker to inject malicious code into the generated web-page.
The attacker would be able to alter the returned web page by simply providing modified data in the user input
dtIn, which is read by the GetPage method at line 136 of DEBT/DEBT/Controllers/DEBT047Controller.cs. This
input then flows through the code straight to the output web page, without sanitization.
This can enable a Reflected Cross-Site Scripting (XSS) attack.

I Changed the Implementation of DataTableIn Class, Added 2 method to do some html encode trying to 'Sanitized' the dtIn object. Here is the new TableDataIn Class: `

using Newtonsoft.Json.Linq;
using System;
using System.Collections.Generic;
using System.Web;

namespace ABT.Entity
{
    public class DataTableIn
    {
        public int draw { get; set; }
        public int start { get; set; }
        public int length { get; set; }
        public int recordsFiltered { get; set; }
        public string findJson { get; set; }
        public DataTableSearchIn search { get; set; }
        public List<DataTableOrderIn> order { get; set; }

        public DataTableIn SanitizeAndEncode()
        {
            DataTableIn sanitizedData = new DataTableIn();
            // Sanitize and encode "findJson"
            JObject jsonObject = JObject.Parse(findJson);

            // Iterate through the fields in the JSON object
            foreach (var field in jsonObject)
            {
                // Encode the field's value
                string fieldName = field.Key;
                string fieldValue = field.Value.ToString();
                string encodedFieldValue = EncodeJsonValue(fieldValue);
                jsonObject[fieldName] = encodedFieldValue;
            }
            findJson = jsonObject.ToString();

            // Sanitize and encode search terms
            if (search != null)
            {
                search.value = HttpUtility.HtmlEncode(search.value);
            }
            if (order != null)
            {
                foreach (DataTableOrderIn order in order)
                {
                    order.column = Math.Min(order.column, 0);
                }
            }
            sanitizedData.findJson = findJson;
            sanitizedData.search = search;
            sanitizedData.order = order;
            sanitizedData.draw = Math.Max(draw, 0);
            sanitizedData.start = Math.Max(start, 0);
            sanitizedData.length = Math.Max(length, 0);
            sanitizedData.recordsFiltered = Math.Max(recordsFiltered, 0);

            return sanitizedData;
        }
        public string EncodeJsonValue(string value)
        {
            // Encode special characters in the value
            string encodedValue = value
                .Replace("\\", "\\\\")  // Escape backslashes
                .Replace("\"", "\\\"")  // Escape double quotes
                .Replace("\n", "\\n")   // Escape newlines
                .Replace("\r", "\\r")   // Escape carriage returns
                .Replace("\t", "\\t");  // Escape tabs

            // Apply HTML encoding to the encoded value
            string htmlEncodedValue = HttpUtility.HtmlEncode(encodedValue);

            return htmlEncodedValue;
        }

    }
    public class DataTableOrderIn
    {
        public int column { get; set; }
        public EnumOrderType dir { get; set; }
    }

    public class DataTableSearchIn
    {
        //search value
        public string value { get; set; }
        public bool regex { get; set; }
    }

    public enum EnumOrderType
    {
        Asc,
        Desc
    }
}

` Then change controllers:

....
189. public string GetHistory(DataTableIn dtIn)
....
209. dtIn = dtIn.SanitizeAndEncode();
....
214. model =
JsonConvert.DeserializeObject<DEBTM575Model>(dtIn.findJson);

Well...It didn't work at all. Can any one help to solve these issues?

Answer 1

Checkmarx has informed you that you have XSS vulnerabilities in your codebase, and it appears that what you want to do involves 2 things:

1. Address the security vulnerability, protecting your app against XSS
2. Satisfy Checkmarx so that it stops reporting XSS vulnerability on the relevant lines.

Your solution involves implementing your own sanitization, and using that on your controller class.

You say

Well...It didn't work at all.

Your solution may actually address 1. - protecting your app against XSS.

Without reviewing your sanitizer implementation more thoroughly (I'm not going to do that), it's hard to say for sure whether it addresses 1., but the prevailing issue is that Checkmarx still reports on it.

Static analysis tools like Checkmarx are not as clever as you may think, and especially when you perform the sanitization yourself, they often have a hard time detecting that.

Your best bet, both from a security perspective, and for making Checkmarx recognize that the input is sanitized, is to use a well known, dedicated library.

From what I can see mganss/HtmlSanitizer seems to be the most popular for .NET.

Install this, use it instead of your implementation, and see if that satisfies Checkmarx.