πŸš€ Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Cross Site Scripting

Cross-Site Scripting (XSS) occurs when untrusted input is incorporated into a web page without proper validation or output encoding. This allows an adversary to inject malicious JavaScript into the page. When other users load the compromised page, the attacker’s script executes in their browser, enabling session hijacking, credential theft, or arbitrary actions on behalf of the victim.

Remediation

  • Use modern frontend frameworks (e.g., React, Angular, Vue) that automatically apply context-aware escaping for untrusted data.
  • Apply strict, context-sensitive output encoding for any data rendered into HTML, attributes, JavaScript, or CSS.
  • Enforce Content Security Policy (CSP) to reduce the impact of potential XSS by restricting inline scripts and untrusted sources.
  • Validate and sanitise input to minimise attack surface, especially in legacy code where auto-escaping is not available.

Metadata

  • Severity: medium
  • Slug: cross-site-scripting

CWEs

  • 79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • 80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
  • 83: Improper Neutralization of Script in Attributes in a Web Page
  • 116: Improper Encoding or Escaping of Output

OWASP

  • A03:2021: Injection
  • A7:2017: Cross-Site Scripting (XSS)
Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing β€” fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.