Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
(Possible) Cross site scripting - Vulnerability Database

(Possible) Cross site scripting

Description

This endpoint may be vulnerable to Cross-Site Scripting (XSS), where user-supplied input is reflected in the response without proper sanitization.

Important: While the response uses a JSON Content-Type header, which prevents direct browser exploitation, this vulnerability may still be exploitable if client-side JavaScript processes the response and inserts it into the DOM without proper encoding. Manual verification is required to confirm whether the application's client-side code safely handles this data.

Cross-Site Scripting allows attackers to inject malicious scripts into web pages viewed by other users. When executed, these scripts run in the victim's browser context with full access to cookies, session tokens, and page content, enabling session hijacking, credential theft, and other attacks.

Remediation

Implement comprehensive input validation and context-aware output encoding to prevent XSS attacks:

1. Server-Side Mitigation:

  • Validate and sanitize all user input on the server side before processing
  • Encode output based on the context where data will be used (HTML, JavaScript, URL, CSS)
  • Use established security libraries for encoding (e.g., OWASP Java Encoder, Microsoft AntiXSS)
Example (JavaScript/Node.js):
// Bad - Unsafe reflection of user input
res.json({ message: userInput });

// Good - Sanitize input before including in response
const sanitizeHtml = require('sanitize-html');
const cleanInput = sanitizeHtml(userInput, {
  allowedTags: [],
  allowedAttributes: {}
});
res.json({ message: cleanInput });
2. Client-Side Mitigation:
  • When processing JSON responses, avoid using dangerous methods like innerHTML, document.write(), or eval()
  • Use safe DOM methods like textContent or innerText for inserting data
  • If HTML rendering is required, use a trusted sanitization library like DOMPurify
Example (Client-side JavaScript):
// Bad - Vulnerable to XSS
document.getElementById('output').innerHTML = jsonResponse.message;

// Good - Safe text insertion
document.getElementById('output').textContent = jsonResponse.message;

// If HTML is needed - sanitize first
const clean = DOMPurify.sanitize(jsonResponse.message);
document.getElementById('output').innerHTML = clean;
3. Additional Security Headers:
  • Implement Content Security Policy (CSP) headers to restrict script execution
  • Use X-Content-Type-Options: nosniff to prevent MIME type sniffing

References

Cross Site Scripting Attack
The Cross Site Scripting Faq
XSS Filter Evasion Cheat Sheet
Cross site scripting
OWASP PHP Top 5
How To: Prevent Cross-Site Scripting in ASP.NET

Related Vulnerabilities

Adobe Coldfusion 8 multiple linked XSS vulnerabilies High
Common tags: XSS
WordPress Plugin Quick Chat Cross-Site Scripting (4.14) High
Common tags: XSS
WordPress Plugin WP Elegant Testimonial Cross-Site Scripting (1.1.6) High
Common tags: XSS
WordPress Plugin WP Floating Menu-One page navigator, sticky menu for WordPress Cross-Site Scripting (1.3.0) High
Common tags: XSS
WordPress Plugin WP smart CRM & Invoices FREE Cross-Site Scripting (1.8.7) High
Common tags: XSS

Severity

Information

Classification

CWE-79
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N

Tags

XSS