Cross Site Scripting
Description
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. OWASP
Recommendation
Before using user input for rendering the page, use libraries for sanitizing and encoding untrusted data into HTML. The primary defenses against XSS are described in the OWASP XSS Prevention Cheat Sheet. The OWASP ESAPI project has produced a set of reusable security components in several languages, including validation and escaping routines to prevent parameter tampering and the injection of XSS attacks. OWASP
References
- OWASP: Cross Site Scripting (XSS)
- OWASP: XSS Prevention Cheat Sheet
- OWASP: ESAPI project
- CWE-79
- OWASP 2017-A7
- OWASP 2021-A3
- CWE-20