Blind XSS
Description
Blind Cross-Site Scripting (XSS) is a vulnerability where malicious JavaScript code is injected into an application and executed in a different context than where it was submitted, making it invisible to the attacker at injection time. This vulnerability was confirmed when JavaScript code injected during the scan was executed and triggered a callback to the Invicti Out-of-Band (OOB) Service, indicating that the payload was stored and later rendered in another user's browser session, such as an administrative panel or logging interface.
Remediation
Implement comprehensive input validation and context-aware output encoding to prevent XSS vulnerabilities:
1. Apply Context-Specific Output Encoding:
Always encode user input based on where it will be rendered in the HTML document:
// HTML Context - Encode HTML special characters String safe = StringEscapeUtils.escapeHtml4(userInput); // JavaScript Context - Use JSON encoding String safe = JSONObject.quote(userInput); // URL Context - Use URL encoding String safe = URLEncoder.encode(userInput, "UTF-8");
2. Implement Content Security Policy (CSP):
Add CSP headers to restrict script execution and mitigate XSS impact:
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'
3. Validate and Sanitize Input:
Use allowlist-based validation to restrict input to expected formats and remove potentially malicious content before storage.
4. Use Security Libraries:
Leverage established security libraries such as OWASP Java Encoder, DOMPurify (JavaScript), or framework-specific encoding functions rather than implementing custom sanitization.
5. Set HTTPOnly and Secure Flags:
Configure session cookies with HTTPOnly and Secure flags to limit the impact of successful XSS attacks:
Set-Cookie: sessionId=value; HttpOnly; Secure; SameSite=Strict