These docs are for v1.1. Click to read the latest docs for v1.2.

Reflective Cross-Site Scripting (rXSS)

Severity: High
Test name: Cross-Site Scripting (XSS)
Summary

The application includes unvalidated and unescaped user input as part of HTML output. The attack principle is as easy as tricking a user to click on a link. When the user visits an infected page (for example, clicks on a URL like https://{your_web_site}.com?search={malicious_code}, which they can receive by email), then the script ({malicious_code}) supplied by the attacker will be executed in the user's browser during the application runtime.

A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the user’s browser. As a result, the attacker gets access to the application and can do anything that the victim (user) can on the client side (access any cookies, session tokens and other).

Impact

This vulnerability allows an attacker to:

  • Execute unauthorized code or commands
  • Bypass protection mechanism
  • Read the application data
  • Deface the application
Location

The issue can be found in the source code on the client side.

Remedy suggestions
  • Never insert untrusted data in any locations, except where permitted. If it is possible, do not put any untrusted data into your HTML document.
  • Apply the HTML encoding before inserting untrusted data into HTML element content.
  • Apply the attribute encode before inserting untrusted data into HTML common attributes.
  • Apply the JavaScript encoding before inserting untrusted data into JavaScript data values.
  • Apply the CSS encoding and strictly validate the untrusted data before inserting it into HTML style property values.
  • Apply the URL encoding before inserting untrusted data into HTML URL parameter values.
  • Sanitize HTML markup with a library designed for the job. If your application handles markup (untrusted input that is supposed to contain HTML), it may be very difficult to validate it, and encoding may break all the tags that are supposed to be in the input. To cover that, use a library that can parse and clean HTML formatted text, for example: HTMLSanitizer (https://github.com/mganss/HtmlSanitizer), OWASP Java HTML Sanitizer (https://owasp.org/www-project-java-html-sanitizer/), DOMPurify (https://github.com/cure53/DOMPurify), or other.
  • Avoid JavaScript URLs. Untrusted URLs that include the protocol javascript will execute JavaScript code when used in the URL DOM locations, such as anchor tag HREF attributes or iFrame src locations. Validate all untrusted URLs to ensure they only contain safe schemes such as HTTPS.
Classifications
  • CWE-79
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
References