forked from Threagile/threagile
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cross-site-scripting-rule.go
67 lines (62 loc) · 3.09 KB
/
cross-site-scripting-rule.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
package cross_site_scripting
import (
"github.com/damianmcgrath/threagile/model"
)
func Category() model.RiskCategory {
return model.RiskCategory{
Id: "cross-site-scripting",
Title: "Cross-Site Scripting (XSS)",
Description: "For each web application Cross-Site Scripting (XSS) risks might arise. In terms " +
"of the overall risk level take other applications running on the same domain into account as well.",
Impact: "If this risk remains unmitigated, attackers might be able to access individual victim sessions and steal or modify user data.",
ASVS: "V5 - Validation, Sanitization and Encoding Verification Requirements",
CheatSheet: "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
Action: "XSS Prevention",
Mitigation: "Try to encode all values sent back to the browser and also handle DOM-manipulations in a safe way " +
"to avoid DOM-based XSS. " +
"When a third-party product is used instead of custom developed software, check if the product applies the proper mitigation and ensure a reasonable patch-level.",
Check: "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?",
Function: model.Development,
STRIDE: model.Tampering,
DetectionLogic: "In-scope web applications.",
RiskAssessment: "The risk rating depends on the sensitivity of the data processed or stored in the web application.",
FalsePositives: "When the technical asset " +
"is not accessed via a browser-like component (i.e not by a human user initiating the request that " +
"gets passed through all components until it reaches the web application) this can be considered a false positive.",
ModelFailurePossibleReason: false,
CWE: 79,
}
}
func SupportedTags() []string {
return []string{}
}
func GenerateRisks() []model.Risk {
risks := make([]model.Risk, 0)
for _, id := range model.SortedTechnicalAssetIDs() {
technicalAsset := model.ParsedModelRoot.TechnicalAssets[id]
if technicalAsset.OutOfScope || !technicalAsset.Technology.IsWebApplication() { // TODO: also mobile clients or rich-clients as long as they use web-view...
continue
}
risks = append(risks, createRisk(technicalAsset))
}
return risks
}
func createRisk(technicalAsset model.TechnicalAsset) model.Risk {
title := "<b>Cross-Site Scripting (XSS)</b> risk at <b>" + technicalAsset.Title + "</b>"
impact := model.MediumImpact
if technicalAsset.HighestConfidentiality() == model.StrictlyConfidential || technicalAsset.HighestIntegrity() == model.MissionCritical {
impact = model.HighImpact
}
risk := model.Risk{
Category: Category(),
Severity: model.CalculateSeverity(model.Likely, impact),
ExploitationLikelihood: model.Likely,
ExploitationImpact: impact,
Title: title,
MostRelevantTechnicalAssetId: technicalAsset.Id,
DataBreachProbability: model.Possible,
DataBreachTechnicalAssetIDs: []string{technicalAsset.Id},
}
risk.SyntheticId = risk.Category.Id + "@" + technicalAsset.Id
return risk
}