Stored Improper Input Validation Injection
Description
Improper input validation can lead to XSS vulnerabilities and other security issues. Stored code injections are attacks where malicious code (such as JavaScript) is injected into the application and stored in the database to be later executed. Stored XSS is one of those attacks. Stored XSS is when an XSS vulnerability originates from the database because of malicious code previously inserted in it.
Remediation
Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.
To effectively prevent XSS vulnerabilities, use a combination of the following measures:
- Filter user input on arrival as strictly as possible, based on what you expect as legitimate input.
- Encode user-controllable data as soons as it is outputted in HTTP reponses to prevent it from being interpreted as active content (ie. code). Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
- Use the right headers to ensure that browsers interpret the responses the way you intended. For example, to prevent XSS in HTTP responses that are not supposed to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers.
- Use Content Security Policy (CSP) to reduce the severity of any XSS vulnerability that still occurs.
Configuration
Identifier:
injection/improper_input_stored
Options
- skip_objects : List of object that are to be skipped by the security test.
Examples
Ignore this check
{
"checks": {
"injection/improper_input_stored": {
"skip": true
}
}
}
Score
- Escape Severity: HIGH
- OWASP: API10:2023
- PCI DSS: 6.5.7
- CWE
- 74
- 79
- WASC: WASC-08
CVSS
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
- CVSS_SCORE: 7.2