Reflective Cross-Site Scripting (rXSS)

Severity: High
Test name: Cross-Site Scripting (XSS)

The application includes unvalidated and unescaped user input as part of HTML output. The attack principle is as easy as tricking a user to click on a link. When the user visits an infected page (for example, clicks on a URL like https://{your_web_site}.com?search={malicious_code}, which they can receive by email), then the script ({malicious_code}) supplied by the attacker will be executed in the user's browser during the application runtime.

A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the user’s browser. As a result, the attacker gets access to the application and can do anything that the victim (user) can on the client side (access any cookies, session tokens and other).


This vulnerability allows an attacker to:

  • Execute unauthorized code or commands
  • Bypass protection mechanism
  • Read the application data
  • Deface the application

The issue can be found in the source code on the client side.

Remedy suggestions

To bolster web application security, adhere to these guidelines:

  • Avoid embedding untrusted data in your HTML document whenever possible. Limit insertion to specifically safe locations.
  • Prioritize HTML encoding for untrusted data before integrating it into the content of HTML elements.
  • Utilize attribute encoding for untrusted data before embedding it into common HTML attributes.
  • Implement JavaScript encoding to safeguard untrusted data before inserting it into JavaScript data values.
  • Before incorporating untrusted data into HTML style property values, apply CSS encoding and conduct rigorous validation.
  • Employ URL encoding for untrusted data before inserting it into HTML URL parameter values.
  • Rely on libraries specifically designed for the task of sanitizing HTML markup. Validation can be challenging when dealing with markup (untrusted input expected to contain HTML), and encoding might disrupt necessary tags. Opt for libraries capable of parsing and sanitizing HTML, such as HTMLSanitizer, OWASP Java HTML Sanitizer, and DOMPurify, among others.
  • Exercise caution with JavaScript URLs. Untrusted URLs containing the "javascript" protocol can execute JavaScript code in URL DOM locations, like anchor tag HREF attributes or iFrame src attributes. Ensure all untrusted URLs are validated only to include secure schemes like HTTPS.
  • CWE-79
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N