Cross Site Scripting

Cross-Site Scripting (XSS) occurs when untrusted input is incorporated into a web page without proper validation or output encoding. This allows an adversary to inject malicious JavaScript into the page. When other users load the compromised page, the attacker’s script executes in their browser, enabling session hijacking, credential theft, or arbitrary actions on behalf of the victim.

Remediation

Use modern frontend frameworks (e.g., React, Angular, Vue) that automatically apply context-aware escaping for untrusted data.
Apply strict, context-sensitive output encoding for any data rendered into HTML, attributes, JavaScript, or CSS.
Enforce Content Security Policy (CSP) to reduce the impact of potential XSS by restricting inline scripts and untrusted sources.
Validate and sanitise input to minimise attack surface, especially in legacy code where auto-escaping is not available.

Metadata

Severity: medium
Slug: cross-site-scripting

CWEs

79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
83: Improper Neutralization of Script in Attributes in a Web Page
116: Improper Encoding or Escaping of Output

OWASP

A03:2021: Injection
A7:2017: Cross-Site Scripting (XSS)

Available Labs

Select a language to explore available labs for this vulnerability.

1 Lab

Csharp Labs

Csharp 1 lab

Explore 1 lab in Csharp.

1 Lab

Go Labs

Go 1 lab

Explore 1 lab in Go.

2 Labs

Java Labs

Java 2 labs

Explore 2 labs in Java.

3 Labs

Javascript Labs

Javascript 3 labs

Explore 3 labs in Javascript.

2 Labs

Php Labs

Php 2 labs

Explore 2 labs in Php.

5 Labs

Python Labs

Python 5 labs

Explore 5 labs in Python.

1 Lab

Ruby Labs

Ruby 1 lab

Explore 1 lab in Ruby.

3 Labs

Typescript Labs

Typescript 3 labs

Explore 3 labs in Typescript.

No matching labs found

Try adjusting your language filter.

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.