Update Detecting hidden input fields for XSS.bcheck

PortSwigger · Oct 24, 2024 · 3c7511c · 3c7511c
1 parent d0d7578
commit 3c7511c
Showing 1 changed file with 32 additions and 30 deletions.
diff --git a/vulnerability-classes/injection/Detecting hidden input fields for XSS.bcheck b/vulnerability-classes/injection/Detecting hidden input fields for XSS.bcheck
@@ -6,36 +6,39 @@ metadata:
     tags: "passive", "xss", "html", "hidden"
 
 define:
+    issueDetail_FULL = 
+`An '<input>' HTML field with the 'type="hidden"' or 'style="display: none;"' attribute has been detected.
+This HTML field may be susceptible to XSS injections.
+It is recommended to check this field for XSS by appending its "id", "name", or "class" attribute into a URL or body parameter.
 
-    # Issue Details:
-    id_01 = `- An '<input>' HTML field with the 'type="hidden"' or 'style="display: none;"' attribute has been detected.\n    - This HTML field may be suseptible to XSS injections.`
-    id_02 = `\n- It becomes recommended to check this field for XSS by appending its "id", "name", or "class" attribute into a URL or body parameter.`
-    id_03 = `\n\n- For Example: -<input type="hidden" id="a1" name="b2" class="c3" value="Hello World!">-`
-    id_04 = `\n    - Append a URL for XSS via 'id': 'https://example.com?a1=%3Cscript%3Ealert(%27Attack%27)%3C/script%3E'`
-    id_05 = `\n    - Append a URL for XSS via 'name': 'https://example.com?b2=%3Cscript%3Ealert(%27Attack%27)%3C/script%3E'`
-    id_06 = `\n    - Append a URL for XSS via 'class': 'https://example.com?c3=%3Cscript%3Ealert(%27Attack%27)%3C/script%3E'`
-    id_07 = `\n\n- For context, JavaScript typically gets used to interact between front-end HTML fields & backend servers.`
-    id_08 = `\n    - JavaScript via "id": 'document.getElementById()'`
-    id_09 = `\n    - JavaScript via "name": 'document.getElementsByName'`
-    id_10 = `\n    - JavaScript via "class": 'document.getElementsByClassName'`
-    issueDetail_FULL = `{id_01}{id_02}{id_03}{id_04}{id_05}{id_06}{id_07}{id_08}{id_09}{id_10}`
-
-    # Issue Remediation:
-    ir_01 = `- Developers must ensure user-controllable input fields pass the following conditions to safeguard against Cross-Site Scripting & other injection attacks.\n---`
-    ir_02 = `\n1. CONTEXT: Establish what data context this user input field adheres to; should this field accept text only, numbers only, any characters, etcetera.`
-    ir_03 = `\n    > For example: (A) Personal names - alphabetical characters only. (B) Phone numbers - numerical characters only.`
-    ir_04 = `\n\n2. VALIDATE: Validate user input through a character whitelist which detects for deployment of any unapproved characters.`
-    ir_05 = `\n    > Unapproved characters will typically be contextually-unnecessary character types or all non-UTF8 characters (often based on language context of the application).`
-    ir_06 = `\n    > Libraries like 'DOMPurify', 'Helmet', & 'ESAPI' exist to automate detection of illicit characters & character types.`
-    ir_07 = `\n\n3. RESPONSE: If unapproved characters become detected, either 'REJECT this payload' immediately OR 'SANITIZE & REEVALUATE this payload'.`
-    ir_08 = `\n    > REJECT: Deny data transferal from this payload & send a response which indicates that rejection has occurred.`
-    ir_09 = `\n    > SANITIZE & REEVALUATE: Perform sanatization on non-whitelisted characters once to convert these values into safer alternatives.`
-    ir_09a = ` Then reevaluate the payload for illicit characters again & REJECT this time if unsafe.`
-    ir_10 = `\n        >> This practice should be tried if 'necessary' content appears expected to possess known-illicit characters (& this functionality cannot be rewritten).`
-    ir_11 = `\n\n4. ENCODE: If approved, this application must encode all HTML metacharacters contained within user input whenever this content would be copied directly into an HTTP webpage.`
-    ir_12 = `\n    > For example: '<' becomes '&lt;', '>' becomes '&gt;', '&' becomes '&amp', '"' becomes '&quot', & etcetera.`
-    ir_13 = `\n    > Metacharacters especially-relevant to XSS include: <, >, &, ", ', =, /, & \.`
-    issueRemediation_FULL = `{ir_01}{ir_02}{ir_03}{ir_04}{ir_05}{ir_06}{ir_07}{ir_08}{ir_09}{ir_09a}{ir_10}{ir_11}{ir_12}{ir_13}`
+For Example: -<input type="hidden" id="a1" name="b2" class="c3" value="Hello World!">-
+- Append a URL for XSS via 'id': 'https://example.com?a1=%3Cscript%3Ealert(%27Attack%27)%3C/script%3E'
+- Append a URL for XSS via 'name': 'https://example.com?b2=%3Cscript%3Ealert(%27Attack%27)%3C/script%3E'
+- Append a URL for XSS via 'class': 'https://example.com?c3=%3Cscript%3Ealert(%27Attack%27)%3C/script%3E'
+
+For context, JavaScript typically gets used to interact between front-end HTML fields & backend servers.
+- JavaScript via "id": 'document.getElementById()'
+- JavaScript via "name": 'document.getElementsByName'
+- JavaScript via "class": 'document.getElementsByClassName'`
+
+    issueRemediation_FULL = 
+`Developers must ensure user-controllable input fields pass the following conditions to safeguard against Cross-Site Scripting & other injection attacks.
+---
+1. CONTEXT: Establish what data context this user input field adheres to; should this field accept text only, numbers only, any characters, etc.
+\t> For example: (A) Personal names - alphabetical characters only. (B) Phone numbers - numerical characters only.
+
+2. VALIDATE: Validate user input through a character whitelist which detects for deployment of any unapproved characters.
+\t> Unapproved characters will typically be contextually-unnecessary character types, or all non-UTF8 characters (often based on the language context of the application).
+\t> Libraries like 'DOMPurify', 'Helmet', & 'ESAPI' exist to automate detection of illicit characters & character types.
+
+3. RESPONSE: If unapproved characters become detected, either 'REJECT this payload' immediately OR 'SANITIZE & REEVALUATE this payload'.
+\t> REJECT: Deny data transferal from this payload & send a response that indicates rejection has occurred.
+\t> SANITIZE & REEVALUATE: Perform sanitization on non-whitelisted characters once to convert these values into safer alternatives. Then, reevaluate the payload for illicit characters again & REJECT this time if unsafe.
+\t\t>> This practice should be tried if 'necessary' content appears expected to possess known illicit characters, and this functionality cannot be rewritten.
+
+4. ENCODE: If approved, this application must encode all HTML metacharacters contained within user input whenever this content would be copied directly into an HTTP webpage.
+\t> For example: '<' becomes '&lt;', '>' becomes '&gt;', '&' becomes '&amp', '"' becomes '&quot', etc.
+\t> Metacharacters especially-relevant to XSS include: <, >, &, ", ', =, /, & \.`
 
 given response then
     # This check ensures that only notable 200s HTTP responses appear present in the HTTP response & unacceptable MIME types get ignored.
@@ -48,6 +51,5 @@ given response then
                 confidence: firm
                 detail: `{issueDetail_FULL}`
                 remediation: `{issueRemediation_FULL}`
-
         end if
     end if