CodeQL queries 1.25
Skip to end of metadata
Go to start of metadata

Name: Stored cross-site scripting

Description: Writing input from the database directly to a web page indicates a cross-site scripting vulnerability if the data was originally user-provided.

ID: cs/web/stored-xss

Kind: path-problem

Severity: error

Precision: medium

Query: StoredXSS.ql
/**
 * @name Stored cross-site scripting
 * @description Writing input from the database directly to a web page indicates a cross-site
 *              scripting vulnerability if the data was originally user-provided.
 * @kind path-problem
 * @problem.severity error
 * @precision medium
 * @id cs/web/stored-xss
 * @tags security
 *       external/cwe/cwe-079
 *       external/cwe/cwe-116
 */

import csharp
import semmle.code.csharp.security.dataflow.flowsources.Stored
import semmle.code.csharp.security.dataflow.XSS::XSS
import semmle.code.csharp.dataflow.DataFlow2
import DataFlow2::PathGraph

class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration {
  override predicate isSource(DataFlow2::Node source) { source instanceof StoredFlowSource }
}

from
  StoredTaintTrackingConfiguration c, DataFlow2::PathNode source, DataFlow2::PathNode sink,
  string explanation
where
  c.hasFlowPath(source, sink) and
  if exists(sink.getNode().(Sink).explanation())
  then explanation = ": " + sink.getNode().(Sink).explanation() + "."
  else explanation = "."
select sink.getNode(), source, sink,
  "$@ flows to here and is written to HTML or JavaScript" + explanation, source.getNode(),
  "Stored user-provided value"

Directly writing user input (for example, an HTTP request parameter) to a webpage, without properly sanitizing the input first, allows for a cross-site scripting vulnerability.

Recommendation

To guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.

Example

The following example shows the page parameter being written directly to the server error page, leaving the website vulnerable to cross-site scripting.

using System;
using System.Web;

public class XSSHandler : IHttpHandler
{
    public void ProcessRequest(HttpContext ctx)
    {
        ctx.Response.Write(
            "The page \"" + ctx.Request.QueryString["page"] + "\" was not found.");
    }
}

References