Back to Vulnerability Database

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

Cross-site Scripting (XSS) is a vulnerability that occurs when software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page served to other users. XSS enables attackers to inject malicious client-side scripts into web pages viewed by other users. There are three main types: Reflected XSS (malicious script comes from the current HTTP request), Stored XSS (malicious script is permanently stored on the target server), and DOM-based XSS (vulnerability exists in client-side code rather than server-side). When executed in a victim's browser, these scripts can steal session cookies, capture credentials, perform actions on behalf of users, redirect to malicious sites, or modify page content for phishing attacks.

Risk

XSS remains one of the most prevalent and dangerous web application vulnerabilities, consistently appearing in OWASP Top 10. The impact ranges from session hijacking and credential theft to complete account takeover and malware distribution. Stored XSS is particularly dangerous as it affects all users viewing the compromised content without requiring them to click a malicious link. High-profile attacks like the Samy MySpace worm infected over one million profiles in hours, while the British Airways Magecart attack leveraged XSS to steal payment card data from 380,000 customers, resulting in a £20 million fine. XSS enables sophisticated phishing attacks that are difficult to detect since they appear to originate from trusted domains, and can serve as an entry point for more severe attacks including malware deployment.

Solution

Implement context-aware output encoding for all user-supplied data before rendering in web pages. Use HTML entity encoding for HTML body content, JavaScript encoding for data placed in JavaScript, URL encoding for URL parameters, and CSS encoding for style contexts. Employ Content Security Policy (CSP) headers to restrict script execution sources and mitigate the impact of successful XSS. Use modern web frameworks that automatically escape output by default (React, Angular, Vue.js). Validate and sanitize input using allowlists, but recognize that output encoding is the primary defense. For rich text input, use proven sanitization libraries like DOMPurify. Set HttpOnly and Secure flags on session cookies to prevent theft via XSS. Implement Subresource Integrity (SRI) for third-party scripts.

Common Consequences

ImpactDetails
ConfidentialityScope: Confidentiality

Attackers can steal session cookies, access tokens, and sensitive data displayed on pages. Personal information, financial data, and credentials can be exfiltrated to attacker-controlled servers.
IntegrityScope: Integrity

XSS allows attackers to modify page content, inject fake forms for phishing, alter transaction details, or deface websites. Users may be tricked into performing unintended actions.
Access ControlScope: Access Control

Session hijacking through stolen cookies enables complete account takeover. Attackers can perform any action the victim can perform, including changing passwords and accessing sensitive functionality.
AvailabilityScope: Availability

XSS worms can spread rapidly causing service degradation. Malicious scripts can cause browser crashes or redirect users away from legitimate services.

Example Code + Solution Code

The following example demonstrates vulnerable and secure handling of user input in web applications:

Vulnerable Code

<!-- VULNERABLE: PHP with direct output -->
<?php
// Reflected XSS - user input directly in response
$search = $_GET['q'];
echo "<h2>Search results for: $search</h2>";

// Stored XSS - unsanitized data from database
$comment = $row['comment']; // Contains: <script>alert('XSS')</script>
echo "<div class='comment'>$comment</div>";
?>

<!-- VULNERABLE: JavaScript DOM manipulation -->
<script>
// DOM-based XSS - innerHTML with user input
var userInput = window.location.hash.substring(1);
document.getElementById('greeting').innerHTML = 'Hello, ' + userInput;

// Vulnerable: Creating elements with user data
var name = new URLSearchParams(window.location.search).get('name');
document.write('<h1>Welcome ' + name + '</h1>');
</script>

<!-- VULNERABLE: Event handlers with user input -->
<img src="x" onerror="alert('XSS')">
<a href="javascript:alert('XSS')">Click me</a>

All examples are vulnerable because user input is placed directly into HTML, JavaScript, or URL contexts without proper encoding or sanitization.

Fixed Code

<?php
// SAFE: Proper output encoding in PHP

// Reflected XSS prevention - HTML entity encoding
$search = $_GET['q'] ?? '';
$safe_search = htmlspecialchars($search, ENT_QUOTES, 'UTF-8');
echo "<h2>Search results for: {$safe_search}</h2>";

// Stored XSS prevention - always encode output from database
$comment = $row['comment'];
$safe_comment = htmlspecialchars($comment, ENT_QUOTES, 'UTF-8');
echo "<div class='comment'>{$safe_comment}</div>";

// For JavaScript context, use json_encode()
$user_data = $_GET['data'] ?? '';
?>

<!-- Content Security Policy header -->
<?php
header("Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'");
?>

<!-- SAFE: JavaScript with proper handling -->
<script>
// Safe: Using textContent instead of innerHTML
var userInput = window.location.hash.substring(1);
var sanitized = DOMPurify.sanitize(userInput);
document.getElementById('greeting').textContent = 'Hello, ' + sanitized;

// Safe: Using createElement and textContent
function displayName(name) {
    var h1 = document.createElement('h1');
    h1.textContent = 'Welcome ' + name;  // textContent auto-escapes
    document.body.appendChild(h1);
}

// Safe: Proper JSON encoding for data in script
var serverData = <?php echo json_encode($user_data, JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_HEX_AMP); ?>;

// Safe: URL validation for href attributes
function safeLink(url) {
    try {
        var parsed = new URL(url, window.location.origin);
        // Only allow http/https protocols
        if (parsed.protocol === 'http:' || parsed.protocol === 'https:') {
            return parsed.href;
        }
    } catch (e) {
        return '#';
    }
    return '#';
}
</script>

<!-- SAFE: Using data attributes instead of inline handlers -->
<button id="actionBtn" data-action="submit">Submit</button>
<script>
document.getElementById('actionBtn').addEventListener('click', function(e) {
    var action = e.target.dataset.action;
    // Process action safely
});
</script>

<!-- SAFE: Image with validated source -->
<?php
$image_url = $_GET['img'] ?? '';
// Validate URL is from allowed domain
if (preg_match('/^https:\/\/trusted-cdn\.com\/images\/[a-zA-Z0-9_-]+\.(jpg|png|gif)$/', $image_url)) {
    echo '<img src="' . htmlspecialchars($image_url, ENT_QUOTES, 'UTF-8') . '" alt="User image">';
}
?>

The fixed code implements multiple layers of defense: htmlspecialchars() for HTML context encoding, json_encode() with proper flags for JavaScript contexts, textContent instead of innerHTML for DOM manipulation, Content Security Policy headers, URL validation for link attributes, and DOMPurify for cases where HTML input must be allowed.

Exploited in the Wild

British Airways Magecart Attack (British Airways, 2018)

The Magecart hacking group exploited an XSS vulnerability to inject malicious JavaScript into British Airways' website and mobile application. The 22-line skimming script captured payment card data entered by customers and transmitted it to an attacker-controlled domain (baways.com). The attack compromised data from approximately 380,000 transactions over 15 days, exposing names, addresses, payment card numbers, expiry dates, and CVVs. The breach resulted in a £20 million GDPR fine from the UK Information Commissioner's Office.

Samy MySpace Worm (MySpace, 2005)

Security researcher Samy Kamkar created a stored XSS worm that exploited MySpace's profile pages. The worm injected JavaScript that automatically added Kamkar as a friend and copied itself to victims' profiles when viewed. Within 20 hours, the worm infected over one million user profiles, making it one of the fastest-spreading viruses in history. The attack demonstrated how XSS could enable self-propagating malware affecting massive user populations.

Fortnite Account Compromise (Epic Games, 2019)

Researchers discovered XSS vulnerabilities in Fortnite's authentication system that could have affected over 200 million users. The vulnerabilities in a legacy, unsecured page allowed attackers to steal authentication tokens, access user accounts, view personal information, purchase V-Bucks (in-game currency) using stored payment cards, and eavesdrop on in-game voice chat. Epic Games patched the vulnerabilities after responsible disclosure.

Tools to test/exploit

  • Burp Suite — comprehensive web security testing platform with automated XSS scanning, DOM-based XSS detection, and tools for crafting and testing XSS payloads across various contexts.

  • XSStrike — advanced XSS detection tool that uses fuzzing and intelligent payload generation to discover reflected, stored, and DOM-based XSS vulnerabilities.

  • OWASP ZAP — open-source web application security scanner with active and passive XSS detection, including DOM XSS analysis through browser integration.

CVE Examples

  • CVE-2023-28432 — MinIO Console reflected XSS through error message handling allowing session hijacking.

  • CVE-2023-37580 — Zimbra Collaboration reflected XSS in webmail classic interface exploited in targeted attacks.

  • CVE-2024-21893 — Ivanti Connect Secure stored XSS in admin interface enabling administrator session theft.

  • CVE-2022-21703 — Grafana stored XSS through dashboard annotations affecting enterprise monitoring platforms.

References

  1. MITRE. "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')." Common Weakness Enumeration. https://cwe.mitre.org/data/definitions/79.html

  2. OWASP. "Cross Site Scripting (XSS)." OWASP Foundation. https://owasp.org/www-community/attacks/xss/

  3. PortSwigger. "Cross-site scripting." Web Security Academy. https://portswigger.net/web-security/cross-site-scripting

  4. OWASP. "XSS Prevention Cheat Sheet." OWASP Cheat Sheet Series. https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html