Can reflected XSS (cross site scripting) attack happen on a REST API which takes in a XML request payload, serves a XML response. There is no html content in the request or response.
I have gone through quite some documentation on XSS, now I am of the opinion that this doesn't apply to a REST API which doesn't serve html content, is this understanding correct? We are however doing validation on the request received to check if there are any kind of tags (<>) in the input, & few other business level validations.
Few points about our service,
- Our REST APIs don’ t receive or respond with HTML data.
- We are not getting any input or request directly from an end user (possibility of an attacker comes majorly from malicious end users )
- We are not sending XML responses directly to end users / HTML rendering system (browser) where the chances of XSS is highest.
- We take the request & pass on the response to services internal to our enterprise & trusted (partners).
- The XML response we send is used to just read the values embedded in a non-html env (these are trusted services that are reading our responses).
How much is the risk of an XSS in this case?
(The reason behind this query is we are getting a checkmarx high severity error where in it suggests we are prone to reflected XSS, and I am thinking this might be a false positive in our case. We are using a spring boot application.)