logo

Cross-Site Scripting (XSS) - Reflected

Vulnerability Details

Severity:

High

Category:

Web Application

Description

The application reflects user-supplied input in HTTP responses without proper encoding or sanitization, allowing attackers to inject malicious scripts.

Risks

An attacker could steal session cookies, capture user credentials, perform actions on behalf of users, redirect users to malicious sites, or deface the application.

Remediation

Implement context-aware output encoding for all user-supplied data. Use Content Security Policy (CSP) headers. Validate and sanitize all input on the server side. Consider using templating engines that auto-escape by default.

References