STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must protect from Cross-Site Scripting (XSS) vulnerabilities.

DISA Rule

SV-222602r561263_rule

Vulnerability Number

V-222602

Group Title

SRG-APP-000251

Rule Version

APSC-DV-002490

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Verify user input is validated and encode or escape user input to prevent embedded script code from executing.

Develop your application using a web template system or a web application development framework that provides auto escaping features rather than building your own escape logic.

Check Contents

Review the application documentation and the vulnerability assessment scan results from automated vulnerability assessment tools.

Verify scan configuration settings include web-based applications settings which include XSS tests.

Review scan results for XSS vulnerabilities.

If the scan results indicate aspects of the application are vulnerable to XSS, request subsequent scan data that shows the XSS vulnerabilities previously detected have been fixed.

If results that show compliance are not available, request proof of any steps that have been taken to mitigate the risk. This can include using network-based IPS to detect and prevent XSS attacks from occurring.

If scan results are not available, perform manual testing in various data entry fields to determine if XSS exist.

Navigate through the web application as a regular user and identify any data entry fields where data can be input.

Input the following strings:

<script>alert('hello')</script>
<img src=x onerror="alert(document.cookie);"

If the script pop up box is displayed, or if scan reports show unremediated XSS results and no mitigating steps have been taken, this is a finding.

Vulnerability Number

V-222602

Documentable

False

Rule Version

APSC-DV-002490

Severity Override Guidance

Review the application documentation and the vulnerability assessment scan results from automated vulnerability assessment tools.

Verify scan configuration settings include web-based applications settings which include XSS tests.

Review scan results for XSS vulnerabilities.

If the scan results indicate aspects of the application are vulnerable to XSS, request subsequent scan data that shows the XSS vulnerabilities previously detected have been fixed.

If results that show compliance are not available, request proof of any steps that have been taken to mitigate the risk. This can include using network-based IPS to detect and prevent XSS attacks from occurring.

If scan results are not available, perform manual testing in various data entry fields to determine if XSS exist.

Navigate through the web application as a regular user and identify any data entry fields where data can be input.

Input the following strings:

<script>alert('hello')</script>
<img src=x onerror="alert(document.cookie);"

If the script pop up box is displayed, or if scan reports show unremediated XSS results and no mitigating steps have been taken, this is a finding.

Check Content Reference

M

Target Key

4093

Comments