How to solve Stored XSS issue reported by Checkmarx

Dasha Finch picture Dasha Finch · Nov 11, 2016 · Viewed 7.5k times · Source

Codebase I am working on has been analyzed by Checkmarx, and it came back with a report containing a "Stored XSS" issue. The issue states:

Method GetHomepageFilterByLocale HomepageRepo.cs gets data from the database, for the Select element. This element’s value then flows through the code without being properly filtered or encoded and is eventually displayed to the user in method GetProductsByFilterType HomepageController.cs. This may enable a Stored Cross-Site-Scripting attack.

Is there a standard recommended way to resolve this issue?

Please see below code snippets for the both mentioned methods.

HomepageRepo.cs

public HomepageFilter GetHomepageFilterByLocale(int localeId)
    {
        return _context.HomepageFilter.SingleOrDefault(x => x.LocaleId == localeId);
    }

HomepageController.cs

GetHomepageViewModel() method is where the repository method is called.

[HttpGet]
    public ActionResult GetProductsByFilterType(int locale, string filterType)
    {
        HomepageViewModel model = GetHomepageViewModel(locale, filterType);

        if (model?.Products != null)
        {
            model.Products.ForEach(p => p.Name = HttpUtility.HtmlEncode(p.Name));
            model.Products.ForEach(p => p.ImageUrl = HttpUtility.HtmlAttributeEncode(p.ImageUrl));
        }

        return Json(model, JsonRequestBehavior.AllowGet);
    }

Answer

bkl picture bkl · Nov 12, 2016

You should look at the vulnerability flow (to the right of the screen when you view the vulnerability) and see what objects are involved in this vulnerability.

You can also click on the little question mark sign ('?') on the right of the vulnerability name. it should tell you how to resolve it.

Finally, if you are still facing issues, you can click on the query viewer and preview what the query looks for exactly.

Now: from my own experience, xss vulnerabilities are easily fixed with HttpUtility.HtmlEncode method.

I'm thinking something like:

HttpUtility.HtmlEncode(_context.HomepageFilter.SingleOrDefault(x => x.LocaleId == localeId));