|Threat Agents||Attack Vectors||Security Weakness||Technical Impacts||Business Impacts|
|Application Specific||Exploitability => Easy||Prevalence => Common||Detectability => Average||Impact => Severe||App/Business Specific|
- You are vulnerable to Server XSS if your server-side code uses user-supplied input as part of the HTML output
- And not using context-sensitive escaping to ensure it cannot run.
- Automated tools can find some XSS problems automatically.
- Therefore, complete coverage requires a combination of manual code review and penetration testing, in addition to automated approaches.
Preventing XSS requires separation of untrusted data from active browser content.
- For rich content, consider auto-sanitization libraries like OWASP’s AntiSamy or the Java HTML Sanitizer Project.
- Consider Content Security Policy (CSP) to defend against XSS across your entire site.
Example Attack Scenarios
The application uses untrusted data in the construction of the following HTML snippet without validation or escaping:
(String) page += "<input name='creditcard' type='TEXT'value='" + request.getParameter("CC") + "'>";
The attacker modifies the ‘CC’ parameter in his browser to:
This attack causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session. Note that attackers can also use XSS to defeat any automated CSRF defense the application might employ.
Cross-Site Scripting Prevention Cheat Sheet_Prevention_Cheat_Sheet)