-
Notifications
You must be signed in to change notification settings - Fork 109
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Updated regex to look for type="hidden" in an input field wherever it is in that hidden HTML element. - Included detection for style="display: none;" - Updated descriptions for detail & remediation.
- Loading branch information
Showing
1 changed file
with
48 additions
and
12 deletions.
There are no files selected for viewing
60 changes: 48 additions & 12 deletions
60
vulnerability-classes/injection/Detecting hidden input fields for XSS.bcheck
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,17 +1,53 @@ | ||
| metadata: | ||
| language: v1-beta | ||
| language: v2-beta | ||
| name: "Hidden Input Field Detection at Response Level (Passive)" | ||
| author: "mrrootsec" | ||
| description: "This Bcheck identifies hidden input fields in the response for further examination." | ||
| tags: "passive" , "xss" | ||
| author: "mrrootsec, Kyle Gilligan" | ||
| description: "This Bcheck identifies hidden input fields in the HTTP response for further examination." | ||
| tags: "passive", "xss", "html", "hidden" | ||
|
|
||
| define: | ||
|
|
||
| # Issue Details: | ||
| id_01 = `- An '<input>' HTML field with the 'type="hidden"' or 'style="display: none;"' attribute has been detected.\n - This HTML field may be suseptible to XSS injections.` | ||
| id_02 = `\n- It becomes recommended to check this field for XSS by appending its "id", "name", or "class" attribute into a URL or body parameter.` | ||
| id_03 = `\n\n- For Example: -<input type="hidden" id="a1" name="b2" class="c3" value="Hello World!">-` | ||
| id_04 = `\n - Append a URL for XSS via 'id': 'https://example.com?a1=%3Cscript%3Ealert(%27Attack%27)%3C/script%3E'` | ||
| id_05 = `\n - Append a URL for XSS via 'name': 'https://example.com?b2=%3Cscript%3Ealert(%27Attack%27)%3C/script%3E'` | ||
| id_06 = `\n - Append a URL for XSS via 'class': 'https://example.com?c3=%3Cscript%3Ealert(%27Attack%27)%3C/script%3E'` | ||
| id_07 = `\n\n- For context, JavaScript typically gets used to interact between front-end HTML fields & backend servers.` | ||
| id_08 = `\n - JavaScript via "id": 'document.getElementById()'` | ||
| id_09 = `\n - JavaScript via "name": 'document.getElementsByName'` | ||
| id_10 = `\n - JavaScript via "class": 'document.getElementsByClassName'` | ||
| issueDetail_FULL = `{id_01}{id_02}{id_03}{id_04}{id_05}{id_06}{id_07}{id_08}{id_09}{id_10}` | ||
|
|
||
| # Issue Remediation: | ||
| ir_01 = `- Developers must ensure user-controllable input fields pass the following conditions to safeguard against Cross-Site Scripting & other injection attacks.\n---` | ||
| ir_02 = `\n1. CONTEXT: Establish what data context this user input field adheres to; should this field accept text only, numbers only, any characters, etcetera.` | ||
| ir_03 = `\n > For example: (A) Personal names - alphabetical characters only. (B) Phone numbers - numerical characters only.` | ||
| ir_04 = `\n\n2. VALIDATE: Validate user input through a character whitelist which detects for deployment of any unapproved characters.` | ||
| ir_05 = `\n > Unapproved characters will typically be contextually-unnecessary character types or all non-UTF8 characters (often based on language context of the application).` | ||
| ir_06 = `\n > Libraries like 'DOMPurify', 'Helmet', & 'ESAPI' exist to automate detection of illicit characters & character types.` | ||
| ir_07 = `\n\n3. RESPONSE: If unapproved characters become detected, either 'REJECT this payload' immediately OR 'SANITIZE & REEVALUATE this payload'.` | ||
| ir_08 = `\n > REJECT: Deny data transferal from this payload & send a response which indicates that rejection has occurred.` | ||
| ir_09 = `\n > SANITIZE & REEVALUATE: Perform sanatization on non-whitelisted characters once to convert these values into safer alternatives.` | ||
| ir_09a = ` Then reevaluate the payload for illicit characters again & REJECT this time if unsafe.` | ||
| ir_10 = `\n >> This practice should be tried if 'necessary' content appears expected to possess known-illicit characters (& this functionality cannot be rewritten).` | ||
| ir_11 = `\n\n4. ENCODE: If approved, this application must encode all HTML metacharacters contained within user input whenever this content would be copied directly into an HTTP webpage.` | ||
| ir_12 = `\n > For example: '<' becomes '<', '>' becomes '>', '&' becomes '&', '"' becomes '"', & etcetera.` | ||
| ir_13 = `\n > Metacharacters especially-relevant to XSS include: <, >, &, ", ', =, /, & \.` | ||
| issueRemediation_FULL = `{ir_01}{ir_02}{ir_03}{ir_04}{ir_05}{ir_06}{ir_07}{ir_08}{ir_09}{ir_09a}{ir_10}{ir_11}{ir_12}{ir_13}` | ||
|
|
||
| given response then | ||
| if {latest.response} matches "<input type=\"hidden\" id=\"[0-9A-Za-z-_]{0,}\"" then | ||
| report issue: | ||
| severity: info | ||
| confidence: firm | ||
| detail: "A Hidden Input Field has been Detected. It is recommended to manually check this field by appending them in the URL for potential Cross-Site Scripting (XSS) vulnerabilities." | ||
| remediation: "To prevent potential security risks, In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: | ||
| a) Input should be validated as strictly as possible on arrival, given the kind of content that it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. | ||
| b) User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > \" \' and =, should be replaced with the corresponding HTML entities (< > etc)." | ||
| # This check ensures that only notable 200s HTTP responses appear present in the HTTP response & unacceptable MIME types get ignored. | ||
| if ({latest.response.status_code} matches "(200|204|206)") and ({latest.response.headers} matches "(Content-Type: text/html)") then | ||
|
|
||
| # This check looks for the `<input>` HTML element followed by type="hidden" or style="display:none;" within 50 characters until a `>` appears. | ||
| if ({latest.response} matches "<input[^>]{0,50}?(type=['\"]hidden['\"]|style=['\"]display:\\s*none;['\"])") then | ||
| report issue: | ||
| severity: info | ||
| confidence: firm | ||
| detail: `{issueDetail_FULL}` | ||
| remediation: `{issueRemediation_FULL}` | ||
|
|
||
| end if | ||
| end if |