CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Alto
Stable
2006-07-19
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Notificaciones para un CWE
Manténgase informado sobre cualquier cambio en un CWE específico.
Nombre: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Informaciones generales
Detalles de contexto
Modos de introducción
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.Plataformas aplicables
Lenguaje
Class: Not Language-Specific (Undetermined)Tecnologías
Name: AI/ML (Undetermined)Class: Web Based (Often)
Name: Web Server (Undetermined)
Consecuencias comunes
| Alcance | Impacto | Probabilidad |
|---|---|---|
| Access Control Confidentiality | Bypass Protection Mechanism, Read Application Data Note: The most common attack performed with cross-site scripting involves the disclosure of private information stored in user cookies, such as session information. Typically, a malicious user will craft a client-side script, which -- when parsed by a web browser -- performs some activity on behalf of the victim to an attacker-controlled system (such as sending all site cookies to a given E-mail address). This could be especially dangerous to the site if the victim has administrator privileges to manage that site. This script will be loaded and run by each user visiting the web site. Since the site requesting to run the script has access to the cookies in question, the malicious script does also. | |
| Integrity Confidentiality Availability | Execute Unauthorized Code or Commands Note: In some circumstances it may be possible to run arbitrary code on a victim's computer when cross-site scripting is combined with other flaws, for example, "drive-by hacking." | |
| Confidentiality Integrity Availability Access Control | Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data Note: The consequence of an XSS attack is the same regardless of whether it is stored or reflected. The difference is in how the payload arrives at the server. XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. Some cross-site scripting vulnerabilities can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on the end user systems for a variety of nefarious purposes. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, running "Active X" controls (under Microsoft Internet Explorer) from sites that a user perceives as trustworthy, and modifying presentation of content. |
Ejemplos observados
| Referencias | Descripción |
|---|---|
CVE-2024-49038 | XSS in AI assistant |
CVE-2024-54142 | Plugin that enables AI features allows input with html entities, leading to XSS |
CVE-2021-25926 | Python Library Manager did not sufficiently neutralize a user-supplied search term, allowing reflected XSS. |
CVE-2021-25963 | Python-based e-commerce platform did not escape returned content on error pages, allowing for reflected Cross-Site Scripting attacks. |
CVE-2021-1879 | Universal XSS in mobile operating system, as exploited in the wild per CISA KEV. |
CVE-2020-3580 | Chain: improper input validation (CWE-20) in firewall product leads to XSS (CWE-79), as exploited in the wild per CISA KEV. |
CVE-2014-8958 | Admin GUI allows XSS through cookie. |
CVE-2017-9764 | Web stats program allows XSS through crafted HTTP header. |
CVE-2014-5198 | Web log analysis product allows XSS through crafted HTTP Referer header. |
CVE-2008-5080 | Chain: protection mechanism failure allows XSS |
CVE-2006-4308 | Chain: incomplete denylist (CWE-184) only checks "javascript:" tag, allowing XSS (CWE-79) using other tags |
CVE-2007-5727 | Chain: incomplete denylist (CWE-184) only removes SCRIPT tags, enabling XSS (CWE-79) |
CVE-2008-5770 | Reflected XSS using the PATH_INFO in a URL |
CVE-2008-4730 | Reflected XSS not properly handled when generating an error message |
CVE-2008-5734 | Reflected XSS sent through email message. |
CVE-2008-0971 | Stored XSS in a security product. |
CVE-2008-5249 | Stored XSS using a wiki page. |
CVE-2006-3568 | Stored XSS in a guestbook application. |
CVE-2006-3211 | Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag. |
CVE-2006-3295 | Chain: library file is not protected against a direct request (CWE-425), leading to reflected XSS (CWE-79). |
Mitigaciones potenciales
Phases : Architecture and DesignPhases : Implementation // Architecture and Design
Phases : Architecture and Design // Implementation
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
Phases : Architecture and Design
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Phases : Architecture and Design
If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
Phases : Implementation
Phases : Implementation
With Struts, write all data from form beans with the bean's filter attribute set to true.
Phases : Implementation
To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.
Phases : Implementation
Phases : Architecture and Design
When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Phases : Operation
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
Phases : Operation // Implementation
When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.
Métodos de detección
Automated Static Analysis
Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved.Efectividad : Moderate
Black Box
Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses.Efectividad : Moderate
Notas de mapeo de vulnerabilidades
Justificación : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Comentario : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Patrones de ataque relacionados
| CAPEC-ID | Nombre del patrón de ataque |
|---|---|
| CAPEC-209 | XSS Using MIME Type Mismatch
An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser. |
| CAPEC-588 | DOM-Based XSS
This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is inserted into the client-side HTML being parsed by a web browser. Content served by a vulnerable web application includes script code used to manipulate the Document Object Model (DOM). This script code either does not properly validate input, or does not perform proper output encoding, thus creating an opportunity for an adversary to inject a malicious script launch a XSS attack. A key distinction between other XSS attacks and DOM-based attacks is that in other XSS attacks, the malicious script runs when the vulnerable web page is initially loaded, while a DOM-based attack executes sometime after the page loads. Another distinction of DOM-based attacks is that in some cases, the malicious script is never sent to the vulnerable web server at all. An attack like this is guaranteed to bypass any server-side filtering attempts to protect users. |
| CAPEC-591 | Reflected XSS
This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is "reflected" off a vulnerable web application and then executed by a victim's browser. The process starts with an adversary delivering a malicious script to a victim and convincing the victim to send the script to the vulnerable web application. |
| CAPEC-592 | Stored XSS
An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently "stored" within the data storage of a vulnerable web application as valid input. |
| CAPEC-63 | Cross-Site Scripting (XSS)
An adversary embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect. |
| CAPEC-85 | AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS. |
Notas
Referencias
REF-709
XSS AttacksJeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D. Petkov, Anton Rager, Seth Fogie.
REF-44
24 Deadly Sins of Software SecurityMichael Howard, David LeBlanc, John Viega.
REF-44
24 Deadly Sins of Software SecurityMichael Howard, David LeBlanc, John Viega.
REF-712
Cross-site scriptinghttps://en.wikipedia.org/wiki/Cross-site_scripting
REF-7
Writing Secure CodeMichael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
REF-714
XSS (Cross Site Scripting) Cheat SheetRSnake.
http://ha.ckers.org/xss.html
REF-715
Mitigating Cross-site Scripting With HTTP-only CookiesMicrosoft.
https://learn.microsoft.com/en-us/previous-versions//ms533046(v=vs.85)?redirectedfrom=MSDN
REF-716
Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live!Mark Curphey, Microsoft.
https://learn.microsoft.com/en-us/archive/blogs/cisg/anti-xss-3-0-beta-and-cat-net-community-technology-preview-now-live
REF-45
OWASP Enterprise Security API (ESAPI) ProjectOWASP.
https://owasp.org/www-project-enterprise-security-api/
REF-718
XSS Defense HOWTOIvan Ristic.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/xss-defense-howto/
REF-719
Web Application FirewallOWASP.
http://www.owasp.org/index.php/Web_Application_Firewall
REF-720
Web Application Firewall Evaluation CriteriaWeb Application Security Consortium.
http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria
REF-721
Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequestRSnake.
REF-722
XMLHttpRequest allows reading HTTPOnly cookieshttps://bugzilla.mozilla.org/show_bug.cgi?id=380418
REF-723
Apache Wickethttp://wicket.apache.org/
REF-724
XSS (Cross Site Scripting) Prevention Cheat SheetOWASP.
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
REF-725
DOM based XSS Prevention Cheat SheetOWASP.
http://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
REF-726
Top 25 series - Rank 1 - Cross Site ScriptingJason Lam.
https://www.sans.org/blog/top-25-series-rank-1-cross-site-scripting/
REF-62
The Art of Software Security AssessmentMark Dowd, John McDonald, Justin Schuh.
REF-956
Samy (computer worm)Wikipedia.
https://en.wikipedia.org/wiki/Samy_(computer_worm)
REF-962
Automated Source Code Security Measure (ASCSM)Object Management Group (OMG).
http://www.omg.org/spec/ASCSM/1.0/
REF-1481
D3FEND: Application Layer FirewallD3FEND.
https://d3fend.mitre.org/dao/artifact/d3f:ApplicationLayerFirewall/
REF-1482
D3FEND: D3-TL Trusted LibraryD3FEND.
https://d3fend.mitre.org/technique/d3f:TrustedLibrary/
Envío
| Nombre | Organización | Fecha | Fecha de lanzamiento | Version |
|---|---|---|---|---|
| PLOVER | Draft 3 |
Modificaciones
| Nombre | Organización | Fecha | Comentario |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| Veracode | Suggested OWASP Top Ten 2004 mapping | ||
| CWE Content Team | MITRE | updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Description, Relationships, Other_Notes, References, Taxonomy_Mappings, Weakness_Ordinalities | |
| CWE Content Team | MITRE | updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Enabling_Factors_for_Exploitation, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Name | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Observed_Examples, Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Description, Detection_Factors, Enabling_Factors_for_Exploitation, Observed_Examples | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Description, Potential_Mitigations, Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Common_Consequences, Description, Name, Potential_Mitigations, References, Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, References | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Detection_Factors, Potential_Mitigations | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns, Relationships | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships | |
| CWE Content Team | MITRE | updated Alternate_Terms, Demonstrative_Examples, Description, Observed_Examples, References, Relationship_Notes, Relationships | |
| CWE Content Team | MITRE | updated References, Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Potential_Mitigations, Relationships | |
| CWE Content Team | MITRE | updated Observed_Examples, Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Description | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Observed_Examples, Relationships | |
| CWE Content Team | MITRE | updated Background_Details, Observed_Examples | |
| CWE Content Team | MITRE | updated Alternate_Terms, Demonstrative_Examples, Description | |
| CWE Content Team | MITRE | updated References, Relationships, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Mapping_Notes, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Alternate_Terms, Common_Consequences, Description, Diagram, Other_Notes | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Observed_Examples, Potential_Mitigations, References | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Demonstrative_Examples, Relationships |
