8

We use web control adapter in our login page. Recently we run VeraCode on our web application. In following function, we got CWE80, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS), on the line 

rev.ErrorMessage = msg;

Following is the function in the WebControlAdapterExtender class.

static public void WriteRegularExpressionValidator(HtmlTextWriter writer, RegularExpressionValidator rev, string className, string controlToValidate, string msg, string expression)
        {
            if (rev != null)
            {
                rev.CssClass = className;
                rev.ControlToValidate = controlToValidate;
                rev.ErrorMessage = msg;
                rev.ValidationExpression = expression;
                rev.RenderControl(writer);
            }
        }

Does anyone have any suggestion how to fix this?

Improve this question

5 Answers 5

Reset to default
7

The problem is that 'msg' is being passed down to your function, but there is no neutralization of this before it gets used - the string gets uses 'as-is' so could contain scripts that cause harm. There is a good description explaining this and why it is a problem: http://www.veracode.com/images/pdf/top5mostprevalent.pdf

I've not used this myself, but I think ErrorMessage gets rendered and displayed in the event of an error. Because this will get rendered on the final page if 'msg' was a naughty snippet of code you are exposing yourself and your users to a security vulnerability.

Have a read of the tips on this cheat sheet: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

You should be able to use HtmlEncode to make this safe HttpUtility.HtmlEncode(unencoded);

rev.ErrorMessage = System.web.HttpUtility.HtmlEncode(msg);
Improve this answer
1

VeraCode has several pages devoted to cleansing functions, organized by programming language, including those CWE IDs that each function addresses. Here's an example from the Java page, showing functions to handle CWE-80.

enter image description here

Improve this answer
3
  • This page is not found.
    – Rahul Gul
    Commented Aug 7, 2023 at 6:21
  • 1
    @Rahulkalivaradarajalu - I've updated the links and added an image
    – kc2001
    Commented Aug 7, 2023 at 14:23
  • How about javascript? Not Java..
    – user3165083
    Commented Apr 25 at 5:21
-1

You can also use Apache Commons Lang3 library StringEscapeUtils. It has various methods for encoding the strings. e.g. escapeXml(string), escapeHtml(string) etc.

rev.ErrorMessage = StringEscapeUtils.escapeHtml(msg);
Improve this answer
-1

A function call contains an HTTP response splitting flaw. Writing unsanitized user-supplied input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and crosssite scripting attacks.

Issue Code

strMessage=CLASSCONSTANTNAME+className+MESSAGENAME+message; LOGGER.info(strMessage);

Fixed Code

strMessage=CLASSCONSTANTNAME+className+MESSAGENAME+message; LOGGER.info(ESAPI.encoder().encodeForHTML(strMessage));

moredetail

Improve this answer
-1

You can use ESAPI library to fix this.

rev.ErrorMessage = ESAPI.encoder().encodeForHTML(msg);
Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.