Secure by Design: CISA and FBI want to put an end to cross-site scripting
The US security authorities CISA and FBI are investigating cross-scripting gaps in the development process.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
The "Secure by Design" series has received another entry from the US security authorities CISA and FBI. This time, the authorities take a look at cross-site scripting (XSS) vulnerabilities.
In the associated CISA and FBI fact sheet, the security agencies discuss the fact that malicious cyber actors compromise systems using cross-site scripting. The aim is to make this type of vulnerability less common on a large scale. Vulnerabilities such as cross-site scripting occur again and again and allow criminals to abuse them – are, however, avoidable and should therefore not occur in software products.
Causes of cross-site scripting vulnerabilities
Cross-site scripting occurs when manufacturers do not check, clean and filter user-controllable inputs, the authors explain. This allows threat actors to inject malicious scripts into web apps and abuse them to manipulate, steal or misuse data across different contexts. Although some developers have implemented input filtering techniques to prevent XSS vulnerabilities, these approaches are not infallible and should be reinforced with additional security measures.
Technical managers should review their threat models to prevent such vulnerabilities and ensure that the software checks input in terms of both structure and meaning. They should also rely on modern web frameworks that offer easy-to-use functions for output coding and ensure correct filtering. This is done, for example, by differentiating between user input and application code. The frameworks ensure that developers do not have to filter and check every single input themselves; however, programmers must follow the framework's instructions in order to catch borderline cases that could lead to XSS leaks.
If no modern web framework can be used, developers must ensure that all user input displayed in web apps is properly filtered and checked. Code reviews are also essential, as is the implementation of aggressive and "malicious" product testing to ensure the quality and security of the code – throughout the development cycle.
These specific tips for the development process are followed by the usual advice for management in the "Secure by Design" guides. Management must take responsibility, create transparency and, if necessary, reorganize the structures to achieve these security goals.
At Mandiant's mWise conference, Jen Easterly, head of CISA, was very clear about her view of things: labeling security vulnerabilities as "software vulnerabilities" is too lenient and "actually blurs responsibility. We should call them 'product defects'". This view is also reflected in the handouts for software developers, which are the documents in the "Secure by Design" series. Most recently, the authorities have focused on the "command injection" vulnerability type, more precisely OS command injection.
(dmk)