PCI Requirement 6.5.7 – Cross-Site Scripting (XSS)

by Randy Bartels / October 13th, 2017

What is Cross-Site Scripting?

Cross-site scripting (XSS) is another type of common coding vulnerability associated with application development. PCI Requirement 6.5.7 requires that you protect all of your organization’s web applications, internal application interfaces, and external application interfaces from XSS. Web applications, the PCI DSS states, have unique security risks as well as relative ease and occurrence of compromise.

How does an XSS attack work? XSS is a type of injection in which malicious scripts are injected to a trusted website. OWASP explains, “An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.” There are three types of XSS: Stored XSS, Reflected XSS, and DOM Based XSS.

• Stored XXS takes place when user input is stored on a target server, and a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser.
• Reflected XSS happens when user input is immediately returned by a web application with a response that includes some or all of the input provided by the user as part of the request without that data being made safe to render in the browser, and without permanently storing the user provided data.

• DOM Based XSS occurs when the entire tainted data flow takes place in the browser.

In order to verify your compliance with PCI Requirement 6.5.7, an assessor will need to review your policies and procedures related to application development and interview the responsible personnel to ensure that your development process addresses validating all parameters and context-sensitive escaping.

Cross-site scripting typically happens one of multiple ways. What’s happening is the source code being displayed to the end-user has an escape character. Where this becomes an issue is when somebody can cause a webpage or something can be loaded from a third party’s website that might contain some malicious information. PCI Requirement 6.5.7 expects you to have a program in place to prevent cross-site scripting. From an assessment perspective, what we’re typically looking for is that you have some type of whitelisting or some type of character validation to make sure that all of those escape characters that would be noted as causing cross-site scripting are rendered neutral.