CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

[object Object]

Common consequences

• Access Control,Confidentiality→Bypass Protection Mechanism,Read Application Data
  The most common attack performed with cross-site scripting involves the disclosure of private information stored in user cookies, such as session information. Typically, a malicious user will craft a client-side script, which -- when parsed
• Integrity,Confidentiality,Availability→Execute Unauthorized Code or Commands
  In some circumstances it may be possible to run arbitrary code on a victim's computer when cross-site scripting is combined with other flaws, for example, "drive-by hacking."
• Confidentiality,Integrity,Availability,Access Control→Execute Unauthorized Code or Commands,Bypass Protection Mechanism,Read Application Data
  The consequence of an XSS attack is the same regardless of whether it is stored or reflected. The difference is in how the payload arrives at the server. XSS can cause a variety of problems for the end user that range in severity from an an

Potential mitigations

• Architecture and Design
  [object Object]
• Implementation,Architecture and Design
  [object Object]
• Architecture and Design,Implementation
  Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly throug
• Architecture and Design
  For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
• Architecture and Design
  If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
• Implementation
  [object Object]
• Implementation
  With Struts, write all data from form beans with the bean's filter attribute set to true.
• Implementation
  To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n
• Implementation
  [object Object]
• Architecture and Design
  When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Related CWEs

Recent CVEs classified under this CWE