Cross Site Scripting

Cross-Site Scripting (XSS) occurs when untrusted input is incorporated into a web page without proper validation or output encoding. This allows an adversary to inject malicious JavaScript into the page. When other users load the compromised page, the attacker’s script executes in their browser, enabling session hijacking, credential theft, or arbitrary actions on behalf of the victim.

Remediation

Use modern frontend frameworks (e.g., React, Angular, Vue) that automatically apply context-aware escaping for untrusted data.
Apply strict, context-sensitive output encoding for any data rendered into HTML, attributes, JavaScript, or CSS.
Enforce Content Security Policy (CSP) to reduce the impact of potential XSS by restricting inline scripts and untrusted sources.
Validate and sanitise input to minimise attack surface, especially in legacy code where auto-escaping is not available.

Metadata

Severity: medium
Slug: cross-site-scripting

CWEs

79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
83: Improper Neutralization of Script in Attributes in a Web Page
116: Improper Encoding or Escaping of Output

OWASP

A03:2021: Injection
A7:2017: Cross-Site Scripting (XSS)

Available Labs

Open Java labs in SecDim Play for this vulnerability.

easy

XSS.java

Java Easy Spring

easy

XSS2.java

Java Easy Spring Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.