Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE ID 80)

Question

My Project Client wants all the application to be Veracode Compliant....After giving it for Veracode Staic Scan found that there are 326 flaws which are needed to be fixed as a part of Cross Site Scripting Error.

The application for which Scan was given is basically built using ASP Classic (VBScript).

some of the lines reported are:

<td <%=feltfarve%> nowrap><%=tabeltekst_start%><a href="#" onclick="checkbrowser('<%=rsDBox("filid")%>','');" onmouseover=" window.status=' <%= f(18) & " " & rsDBox("filnavn")%>'; return true" onmouseout="window.status=''; return true");"><%=rsDBox("filnavn")%></a><%=tabeltekst_slut%></td>


&nbsp;<a onmouseover="EnterContent('ToolTip','<%=f(33)%>','<% if sagerRS("dkrerefnr") <> "" then     Response.Write (replace(f(34),"%1", sagerRS("dkrerefnr"))) else Response.Write(replace(f(34),"%1", f(35))) end if%>'); Activate();" onmouseout="deActivate()" href="javascript:void(0)"><img src="/secure/images/rolloverknap/gray_e.gif" border="0" WIDTH="12" HEIGHT="12"></a>

Response.Write "&nbsp;<a onmouseover=""EnterContent('ToolTip','"& f(36) &"','" & kretxt & "'); Activate();"" onmouseout=""deActivate()"" href=""javascript:void(0)""><img src=""/secure/images/rolloverknap/gray_i.gif"" border=""0"" WIDTH=""12"" HEIGHT=""12""></a>&nbsp;"

What type of fix can be applied to solve these Cross Scripting Flaws??

Answer 1

I think we should use Server.HTMLEncode to fix XSS (cross site scripting) threat.

Answer 2

Looking at your code there are several variables that could create problems. I'm not exactly sure how Veracode checks for problems, but if any of these variables come from a user supplied value, they pose a risk.

First the basics, if you allow > and < in any variable, especially combined with allowing " and ', everything is a thread. They can insert pretty much anything.

In your case allowing " and ' is enough to create problems, because a lot of variables are already inserted inside Javascript code like onmouseover and onmouseout

Besides that feltfarve could always cause a problem, even if you don't allow these charactors.

feltfarve in <td <%=feltfarve%> nowrap> is inside a tag without qoutes or anything. If somebody could modify the value to onmouseover=doBadStuff() your in trouble. If they combine it with style they could even make it full screen, so almost anybody would hover it.

Keep in mind that if you directly insert values from your database, what %=rsDBox("filid")%> is doing I think, then you must be 100% sure that you properly check them on insert.

Since DB best practise is to insert data as provided (not encoded), you should always check these values before you put them in your HTML.