Cross-site scripting (XSS)
Related error
"This server is vulnerable to a cross-site scripting attack. Make sure the client-side (JavaScript) data is secure and validated."
Problem
Cross-site scripting is a web attack on vulnerable web applications using JavaScript. Malicious content is delivered to JavaScript-enabled users via an unsafe or untrusted source by composing the data to a dangerous sink inside the Document Object Model (DOM) rather than in HTML which presents a regular XSS.
XSS attacks happen when the input data to a web application is not validated and the output data to the browser is not encoded in HTML.
When XSS attacks are successful, attackers can:
Hijack an account.
Spread web worms.
Access browser history and clipboard contents.
Control the browser remotely.
Scan and exploit intranet appliances and applications.
Solution
To identify and prevent XSS errors in web applications:
Validate the data entered by user browsers in the web application.
Encode all output to user browsers from the web application.
Give users the ability to disable client-side scripts.