CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
常见后果
影响范围: Access Control Confidentiality
技术影响: Bypass Protection Mechanism Read Application Data
说明: The most common attack performed with cross-site scripting involves the disclosure of private information stored in user cookies, such as session information. Typically, a malicious user will craft a client-side script, which -- when parsed by a web browser -- performs some activity on behalf of the victim to an attacker-controlled system (such as sending all site cookies to a given E-mail address). This could be especially dangerous to the site if the victim has administrator privileges to manage that site. This script will be loaded and run by each user visiting the web site. Since the site requesting to run the script has access to the cookies in question, the malicious script does also.
影响范围: Integrity Confidentiality Availability
技术影响: Execute Unauthorized Code or Commands
说明: In some circumstances it may be possible to run arbitrary code on a victim's computer when cross-site scripting is combined with other flaws, for example, "drive-by hacking."
影响范围: Confidentiality Integrity Availability Access Control
技术影响: Execute Unauthorized Code or Commands Bypass Protection Mechanism Read Application Data
说明: The consequence of an XSS attack is the same regardless of whether it is stored or reflected. The difference is in how the payload arrives at the server. XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. Some cross-site scripting vulnerabilities can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on the end user systems for a variety of nefarious purposes. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, running "Active X" controls (under Microsoft Internet Explorer) from sites that a user perceives as trustworthy, and modifying presentation of content.
潜在缓解措施
阶段: Architecture and Design
策略: Libraries or Frameworks
阶段: Implementation Architecture and Design
阶段: Architecture and Design Implementation
策略: Attack Surface Reduction
描述: Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
有效性: Limited
阶段: Architecture and Design
描述: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
阶段: Architecture and Design
策略: Parameterization
描述: If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
阶段: Implementation
策略: Output Encoding
阶段: Implementation
描述: With Struts, write all data from form beans with the bean's filter attribute set to true.
阶段: Implementation
策略: Attack Surface Reduction
描述: To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.
有效性: Defense in Depth
阶段: Implementation
策略: Input Validation
阶段: Architecture and Design
策略: Enforcement by Conversion
描述: When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
阶段: Operation
策略: Firewall
描述: Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
有效性: Moderate
阶段: Operation Implementation
策略: Environment Hardening
描述: When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.
检测方法
方法: Automated Static Analysis
Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved.
有效性: Moderate
方法: Black Box
Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses.
有效性: Moderate
观察示例
参考: CVE-2024-49038
XSS in AI assistant
参考: CVE-2024-54142
Plugin that enables AI features allows input with html entities, leading to XSS
参考: CVE-2021-25926
Python Library Manager did not sufficiently neutralize a user-supplied search term, allowing reflected XSS.
参考: CVE-2021-25963
Python-based e-commerce platform did not escape returned content on error pages, allowing for reflected Cross-Site Scripting attacks.
参考: CVE-2021-1879
Universal XSS in mobile operating system, as exploited in the wild per CISA KEV.
参考: CVE-2020-3580
Chain: improper input validation (CWE-20) in firewall product leads to XSS (CWE-79), as exploited in the wild per CISA KEV.
参考: CVE-2014-8958
Admin GUI allows XSS through cookie.
参考: CVE-2017-9764
Web stats program allows XSS through crafted HTTP header.
参考: CVE-2014-5198
Web log analysis product allows XSS through crafted HTTP Referer header.
参考: CVE-2008-5080
Chain: protection mechanism failure allows XSS
参考: CVE-2006-4308
Chain: incomplete denylist (CWE-184) only checks "javascript:" tag, allowing XSS (CWE-79) using other tags
参考: CVE-2007-5727
Chain: incomplete denylist (CWE-184) only removes SCRIPT tags, enabling XSS (CWE-79)
参考: CVE-2008-5770
Reflected XSS using the PATH_INFO in a URL
参考: CVE-2008-4730
Reflected XSS not properly handled when generating an error message
参考: CVE-2008-5734
Reflected XSS sent through email message.
参考: CVE-2008-0971
Stored XSS in a security product.
参考: CVE-2008-5249
Stored XSS using a wiki page.
参考: CVE-2006-3568
Stored XSS in a guestbook application.
参考: CVE-2006-3211
Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag.
参考: CVE-2006-3295
Chain: library file is not protected against a direct request (CWE-425), leading to reflected XSS (CWE-79).
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Cross-site scripting (XSS) | - |
| 7 Pernicious Kingdoms | - | Cross-site Scripting | - |
| CLASP | - | Cross-site scripting | - |
| OWASP Top Ten 2007 | A1 | Cross Site Scripting (XSS) | Exact |
| OWASP Top Ten 2004 | A1 | Unvalidated Input | CWE More Specific |
| OWASP Top Ten 2004 | A4 | Cross-Site Scripting (XSS) Flaws | Exact |
| WASC | 8 | Cross-site Scripting | - |
| Software Fault Patterns | SFP24 | Tainted input to command | - |
| OMG ASCSM | ASCSM-CWE-79 | - |
关键信息
CWE ID: CWE-79
抽象级别: Base
结构: Simple
状态: Stable
利用可能性: High