CGI script vulnerable to cross-site scripting¶
ID: cpp/cgi-xssKind: path-problemSecurity severity: 6.1Severity: errorPrecision: highTags: - security - external/cwe/cwe-079Query suites: - cpp-code-scanning.qls - cpp-security-extended.qls - cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
Directly writing an HTTP request parameter back to a web page allows for a cross-site scripting vulnerability. The data is displayed in a user’s web browser as belonging to one site, but it is provided by some other site that the user browses to. In effect, such an attack allows one web site to insert content in the other one.
For web servers implemented with the Common Gateway Interface (CGI), HTTP parameters are supplied via theQUERY_STRING environment variable.
Recommendation¶
To guard against cross-site scripting, consider escaping special characters before writing the HTTP parameter back to the page.
Example¶
In the following example, thebad_server writes a parameter directly back to the HTML page that the user will see. Thegood_server first escapes any HTML special characters before writing to the HTML page.
voidbad_server(){char*query=getenv("QUERY_STRING");puts("<p>Query results for ");// BAD: Printing out an HTTP parameter with no escapingputs(query);puts("\n<p>\n");puts(do_search(query));}voidgood_server(){char*query=getenv("QUERY_STRING");puts("<p>Query results for ");// GOOD: Escape HTML characters before adding to a pagechar*query_escaped=escape_html(query);puts(query_escaped);free(query_escaped);puts("\n<p>\n");puts(do_search(query));}
References¶
Wikipedia:Cross-site scripting.
IETF Tools:The Common Gateway Specification (CGI).
Common Weakness Enumeration:CWE-79.