Configuration Management / Browser Cross-Site Scripting Filter Disabled
Description
Browser cross-site scripting filter disabled (CWE-79) is a configuration management vulnerability that falls under Web and API category. This vulnerability allows malicious code to be executed in the user’s browser, as the cross-site scripting filter is not enabled. According to the OWASP Testing Guide, cross-site scripting filters are used to prevent malicious scripts from being injected into webpages and then executed by the user’s browser.
Risk
If an attacker can inject malicious code into a webpage, they can access and control the user’s browser. This can lead to data theft, data manipulation, data destruction, and other malicious activities. This vulnerability has a critical risk assessment because of the sensitive data that is at risk of being compromised.
Solution
The best way to address this vulnerability is to enable the cross-site scripting filter in the browser. This should be done for all webpages that the user visits. Additionally, websites should be regularly tested for any cross-site scripting vulnerabilities.
Example
An example of this vulnerability can be found in CVE-2020-11818. A malicious user injects a malicious JavaScript code into a vulnerable webpage. The code is then executed by the user’s browser, and the attacker can access and control the user’s browser.