How to fix cross-site scripting (XSS) in Fortify SCA & Checkmarx SAST reports

Many organizations use static code analyzers like Fortify SCA & Checkmarx SAST to find security flaws in applications. But to many developers, reports from Fortify SCA & Checkmarx SAST are viewed to create additional work by revealing vulnerabilities (both real ones and false positives), while offering no solution to advance their remediation. Who fixes the vulnerabilities in the report?

Cross-site scripting (XSS) is a type of web security vulnerability that allows an attacker to inject malicious code into a web page or application. XSS can compromise the privacy and security of users, as well as the integrity and functionality of the web site or application.

Here are some guidelines for fixing cross-site scripting vulnerabilities:

  • Sanitize your inputs and outputs using a library written in the language you use. Sanitization means removing or encoding any characters that could be interpreted as code by the browser.
  • Enforce the use of safer functions whenever applicable (for example, innerText instead of innerHTML in JavaScript). Safer functions prevent the browser from executing any code that is embedded in the input or output.
  • Validate your inputs to ensure they meet specific criteria. Validation means checking if the input matches a certain format, length, range, etc. Validation can help prevent XSS attacks by rejecting any inputs that do not meet the expected criteria.

Here are some examples of how to fix cross-site scripting vulnerabilitie:

sda = new SqlDataAdapter("SELECT * FROM Employees", conn);
if (dt.Rows.Count > 0)
    string name = dt.Rows[0]["Name"];
    lblEmployeeName.Text = Encoder.HtmlEncode(name);

Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("SELECT * FROM Employees");
if (rs != null)
    String employeeName = Encoder.htmlEncode(rs.getString("name"));

let name = Cookies.get("name");

let message = 'Hi ' + Sanitizer.sanitize(name) + ', welcome!';

main.innerHTML = html;

What if there was a way to fix cross-site scripting (XSS) automatically?

Lucent Sky AVM works like to a static code analyzer to pinpoint vulnerabilities, and then offers Instant Fixes - code-based remediation that can be immediately placed in source code to fix the common vulnerabilities like cross-site scripting (XSS), SQL injection and path manipulation.

For .NET (C# and VB.NET) and Java applications, Lucent Sky AVM can fix up to 90% of the vulnerabilities it finds.

Using Fortify SCA & Checkmarx SAST and Lucent Sky AVM together

While SAST tools like Fortify SCA & Checkmarx SAST only tell you where vulnerabilities are, Lucent Sky AVM will tell you where they are and how to fix them (and actually do it for you, if you like). SAST tools like Fortify SCA & Checkmarx SAST was designed to be used by security professionals, and calibrated to find large number of results, then relying on security experts to fine-tune it to weed out false positives. Lucent Sky AVM focuses on finding vulnerabilities that will cause real impact on the application's security, and only fix what can be fixed with confidence, based on settings set by you as well as your development and security teams. You can learn more about Lucent Sky AVM's remediation process.

Fortify SCA & Checkmarx SAST, Lucent Sky AVM and compliance

If your organization's compliance requires the remediation of all results found by Fortify SCA & Checkmarx SAST (or results that fit a certain criteria, critical and high, for example), Lucent Sky AVM can be customized to find the same results while providing additional functional value - automatically fixing those vulnerabilities.

Actionable reporting

Many static code analysers are designed for and to be used by security professionals. This means they require expert users, and their assessments and outputs aren't developer friendly. Lucent Sky AVM offers clear reporting that caters to both security professionals and developers, providing both analysis results and Instant Fixes (code-based remediation to common vulnerabilities like cross-site scripting and SQL injection) that a non-expert can use to secure their code.

For organizations needing compliance reporting, Lucent Sky can help teams pass Fortify SCA & Checkmarx SAST scans and cut out the noise of false positives, while drastically reducing the time and effort required to secure an application.

Download a report comparison between Lucent Sky AVM and SAST tools to see the difference.

Fixing vulnerabilities in your Fortify SCA & Checkmarx SAST report can be done fast and efficiently

Request a demo and see Lucent Sky AVM in action yourself. To learn more about how Lucent Sky AVM can be used in combination with Fortify SCA & Checkmarx SAST in your environment, get in touch!

Contact us
Try Lucent Sky AVM