0

I have a website hosted on an Apache Tomcat 7 server that uses the Authorize.net gateway and merchant services to handle payment. I recently ran a required PCI Compliance test against my website, and it failed due to a Reflected Cross-Site Scripting (XSS) Vulnerability. The example they gave was to replace the value of one of my form parameters with a script: alert('test')

I feel that I have already addressed this issue on the client-side by validating inputs when the form is submitted, and not proceeding if one of the inputs is invalid. However, a re-scan recently failed, so I think I need to do more.

My first question: is it possible to pass POST parameters to the server via the URL? I thought this was only possible with GET method, which I don't utilize. What I'm trying to figure out is how they are submitting this data. Their support is non-existent, of course, so I have to figure out the issue on my own.

Has anyone had any experience with PCI RapidComply? What did you use to fix your XSS Validation issues?

Thanks!

Bob .
  • 103
  • 1

1 Answers1

1

You cannot pass POST parameters via the URL, but that is not required for an XSS-vulnerability. A third party site can send the user to your site with any POST parameter they want by using JavaScript:

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://yoursite.example.com/" method="post">
      <input type="hidden" name="parameter" value="alert('test')">
    </form>
  </body>
</html>

As long as the attacker can cause an end user with access to your site to load such an HTML document (e.g. through an iframe put on an ad network), they can cause the user to run arbitrary JavaScript on your page in the context (session) of that user.

The only way to prevent this is by handling it server side. In general, any user data submitted should be sanitized, and also remember to escape everything when outputting HTML. Usually the last part should be handled by a templating library.

olav
  • 376
  • 2
  • 4
  • Yes, this is correct. I realized after the fact that you can simply write a client-side script to submit the form. Can you recommend a templating library for escaping the output HTML? And is that typically done server-side? – Bob . Jun 28 '15 at 20:14
  • Escaping must always be done server side -- by the time the client receives the data, it is too late. As for templating engines, I don't really have any recommendations for Java. [Google](https://google.com/search?q=java%20templating%20engine) has many suggestions. I must say that Pebble looks promising wrt. [autoescaping](http://www.mitchellbosecke.com/pebble/documentation/guide/escaping). – olav Jun 29 '15 at 19:09