Back

Test the system for cross-site scripting attacks.


CONTROL ID
01321
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform penetration tests, as necessary., CC ID: 00655

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The FI should deploy a combination of automated tools and manual techniques to perform a comprehensive VA. For web-based external facing systems, the scope of VA should include common web vulnerabilities such as SQL injection and cross-site scripting. (§ 9.4.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Verify that processes are in place to ensure that web applications are not vulnerable to cross-site scripting. (§ 6.5.7, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Interview responsible personnel and examine the software development policies and procedures to verify cross-site scripting is addressed by coding technologies, such as using context-sensitive escaping and validating all parameters before inclusion. (Testing Procedures § 6.5.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure the development of applications are based on secure coding guidelines and prevents common coding vulnerabilities such as cross-site scripting (XSS). (§ 6.5.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that processes are in place to ensure that web applications are not vulnerable to cross-site scripting. (§ 6.5.7 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The software development process must address common coding vulnerabilities, to include cross-site scripting. (PCI DSS Requirements § 6.5.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • All parameters should be validated prior to being included in any application to prevent cross-site scripting attacks for internal and external web payment applications. (§ 5.2.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Do coding techniques address cross-site scripting (XSS) vulnerabilities? (PCI DSS Question 6.5.7, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Do coding techniques address cross-site scripting (XSS) vulnerabilities? (PCI DSS Question 6.5.7, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Do coding techniques address cross-site scripting (XSS) vulnerabilities? (PCI DSS Question 6.5.7, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • When a web site hosted that has access to scoped systems and data, do validation checks include cross-site scripting? (§ I.4.5, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When a web site maintained that has access to scoped systems and data, do validation checks include cross-site scripting? (§ I.4.5, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When a web site is supported that has access to scoped systems and data, do validation checks include cross-site scripting? (§ I.4.5, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • For cloud computing application program interfaces, does the Application Program Interface code security testing include cross-site scripting? (§ V.1.39.2.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Mobile-enabled Web sites: Include vulnerabilities with Internet banking (hardware, operating system, and security limitations); malicious messages through Web-based attack vectors; limitations on anti-phishing and anti-XSS capabilities; malicious attacks through unvalidated redirects and forwards; u… (AppE.7 Objective 3:5 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)