Cross-site Scripting
Description
Reflected Cross-site Scripting (XSS) occurs when malicious scripts are injected into web applications through request parameters that are immediately returned to a user without proper sanitization. Unlike stored Cross-site Scripting attacks, reflected XSS are not persistent in the application's database but are "reflected" back in the immediate response.
Remediation
Input validation: implement strict input validation for all user-controlled data. Use allowlist approaches rather than denylists when validating input. Validate data type, length, and range as appropriate.
Output encoding: apply context-specific output encoding when rendering user input. Use HTML entity encoding for HTML contexts. Use JavaScript string escaping for JS context. CSS hex encoding should be used for style attributes.
Content Security Policy: implement a strict CSP that specifies trusted sources for scripts and other
resources. User script-src 'self' to restrict execution to same-origin source. Consider using nonces
or hashes for inline scripts when necessary.
Framework Protections: leverage built-in XSS protections in modern frameworks. Use template engines
that automatically escape output. Avoid unsafe methods that bypass framework protections
(for example, innerHTML, dangerouslySetInnerHTML).
HTTP Headers: set X-XSS-Protection headers for legacy browsers. Implement X-Content-Type-Options: nosniff. Use Strict-Transport-Security to enforce HTTPS.
Details
| ID | Aggregated | CWE | Type | Risk |
|---|---|---|---|---|
| 79.1 | false | 79 | Active | high |