XSS detection in SAST tools

Question

SAST tool detects a XSS (reflected) vulnerability , How to check this is false positive or not?

@Path(RESET_CREDENTIALS_PATH)
    @POST
    public Response resetCredentialsPOST(@QueryParam(AUTH_SESSION_ID) String authSessionId, // optional, can get from cookie instead
                                         @QueryParam(SESSION_CODE) String code,
                                         @QueryParam(Constants.EXECUTION) String execution,
                                         @QueryParam(Constants.CLIENT_ID) String clientId,
                                         @QueryParam(Constants.TAB_ID) String tabId,
                                         @QueryParam(Constants.KEY) String key) {
        if (key != null) {
            return handleActionToken(key, execution, clientId, tabId);
        }

The Application 's resetCredentialsPost embeds untrusted data in the generated output with handleActionToken without proper sanitization.

Answer 1

1. Identify the origin of the key parameter. Does it come from user input? If so, is it sanitized before it is used in handleActionToken?

2. Look at the method handleActionToken. Is key being used in a context where it could be interpreted as script? Does the method perform any sanitation or validation on the input?

3. Inject potentially harmful data into the key parameter. If you're able to run JavaScript on the page, it's not a false positive.

If key is properly sanitized before it is inserted into the output, then the vulnerability might be a false positive. If not, then you've indeed found a vulnerability.