Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Cross-site Scripting - Vulnerability Database

Cross-site Scripting

Description

Cross-Site Scripting (XSS) is a client-side injection vulnerability that allows attackers to inject malicious scripts into trusted web applications. This occurs when applications include untrusted data in web pages without proper validation or encoding, causing browsers to execute attacker-controlled code in the context of the vulnerable site. XSS vulnerabilities can affect any web application that displays user input without adequate sanitization.

Remediation

Implement defense-in-depth measures to prevent XSS vulnerabilities:

1. Output Encoding: Apply context-appropriate encoding to all user-controlled data before rendering it in HTML, JavaScript, CSS, or URL contexts. Use established encoding libraries specific to your framework.

HTML Context Example:

// Encode user input before inserting into HTML
String safe = HtmlUtils.htmlEscape(userInput);
response.getWriter().write("<div>" + safe + "</div>");

JavaScript Context Example:
// Use JSON encoding for data in JavaScript
String jsonSafe = JSONObject.quote(userInput);
out.write("<script>var data = " + jsonSafe + ";</script>");

2. Input Validation: Validate all user input against strict allowlists of expected formats, lengths, and character sets. Reject invalid input rather than attempting to sanitize it.

3. Content Security Policy (CSP): Implement a strict CSP header to prevent inline script execution and restrict script sources to trusted domains:
Content-Security-Policy: default-src 'self'; script-src 'self' trusted-cdn.com

4. Use Security Headers: Enable X-XSS-Protection and X-Content-Type-Options headers as additional defense layers.

5. Framework Protection: Utilize auto-escaping template engines and framework-provided XSS protection features (e.g., React's JSX, Angular's sanitization).

References

Cross-site Scripting (XSS) Attack
XSS Filter Evasion Cheat Sheet
Excess XSS, a comprehensive tutorial on cross-site scripting
Cross site scripting

Related Vulnerabilities

Adobe Coldfusion 8 multiple linked XSS vulnerabilies High
Common tags: XSS
WordPress Plugin Quick Chat Cross-Site Scripting (4.14) High
Common tags: XSS
WordPress Plugin WP Elegant Testimonial Cross-Site Scripting (1.1.6) High
Common tags: XSS
WordPress Plugin WP Floating Menu-One page navigator, sticky menu for WordPress Cross-Site Scripting (1.3.0) High
Common tags: XSS
WordPress Plugin WP smart CRM & Invoices FREE Cross-Site Scripting (1.8.7) High
Common tags: XSS

Severity

High

Classification

CWE-79
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Tags

XSS