CVE Vulnerabilities

CVE-2011-0013

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Published: Feb 19, 2011 | Modified: Feb 13, 2023
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
RedHat/V2
4.3 MODERATE
AV:N/AC:M/Au:N/C:N/I:P/A:N
RedHat/V3
Ubuntu
LOW

Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.

Weakness

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Affected Software

Name Vendor Start Version End Version
Tomcat Apache 7.0.0 (including) 7.0.0 (including)
Tomcat Apache 7.0.1 (including) 7.0.1 (including)
Tomcat Apache 7.0.2 (including) 7.0.2 (including)
Tomcat Apache 7.0.3 (including) 7.0.3 (including)
Tomcat Apache 7.0.4 (including) 7.0.4 (including)
Tomcat Apache 7.0.5 (including) 7.0.5 (including)
JBEWS 1.0 for RHEL 4 RedHat ant-0:1.7.1-13.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat antlr-0:2.7.7-7.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat bcel-0:5.2-8.1.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat cglib-0:2.2-5.1.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat dom4j-0:1.6.1-11.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat ecj-1:3.3.1.1-3.2.2.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat glassfish-jaf-0:1.1.0-6.1.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat glassfish-javamail-0:1.4.2-0.4.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat glassfish-jsf-0:1.2_13-2.2.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat hibernate3-1:3.3.2-1.5.GA_CP04.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat hibernate3-annotations-0:3.4.0-3.3.GA_CP04.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat hibernate3-commons-annotations-0:3.1.0-1.8.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat hibernate3-ejb-persistence-3.0-api-1:1.0.2-3.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat hibernate3-entitymanager-0:3.4.0-4.3.GA_CP04.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat httpd22-0:2.2.17-14.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-beanutils-0:1.8.0-4.1.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-chain-0:1.2-2.2.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-codec-0:1.3-9.1.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-collections-0:3.2.1-4.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-daemon-1:1.0.5-1.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-daemon-jsvc-1:1.0.5-1.4.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-dbcp-0:1.2.1-16.4.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-digester-0:1.8.1-8.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-el-0:1.0-19.2.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-fileupload-1:1.1.1-7.4.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-httpclient-1:3.1-1.1.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-io-0:1.4-1.3.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-launcher-0:1.1-4.6.1.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-logging-0:1.1.1-0.4.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-logging-jboss-0:1.1-10.2.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-modeler-0:2.0-4.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-pool-0:1.3-11.2.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-commons-validator-0:1.3.1-7.5.1.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-oro-0:2.0.8-3.3.2.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jakarta-taglibs-standard-0:1.1.1-9.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat javassist-0:3.12.0-1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jboss-common-core-0:2.2.17-1.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jboss-common-logging-jdk-0:2.1.2-1.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jboss-common-logging-spi-0:2.1.2-1.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jboss-javaee-0:5.0.1-2.9.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jcommon-0:1.0.16-1.2.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat jfreechart-0:1.0.13-2.3.2.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat log4j-0:1.2.14-18.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat mod_cluster-0:1.0.10-2.GA_CP01.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat mod_cluster-native-0:1.0.10-2.GA_CP01.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat mod_jk-0:1.2.31-1.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat mx4j-1:3.0.1-9.3.4.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat objectweb-asm-0:3.1-5.3.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat regexp-0:1.5-1.2.1.jdk6.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat struts12-0:1.2.9-3.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat tomcat5-0:5.5.33-14_patch_04.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat tomcat6-0:6.0.32-15_patch_03.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat tomcat-jkstatus-ant-0:1.2.31-2.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat tomcat-native-0:1.1.20-2.0.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat xalan-j2-0:2.7.1-5.3_patch_04.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat xerces-j2-0:2.9.1-3.patch01.1.ep5.el4 *
JBEWS 1.0 for RHEL 4 RedHat xml-commons-1:1.3.04-7.12.ep5.el4 *
Red Hat Enterprise Linux 5 RedHat tomcat5-0:5.5.23-0jpp.22.el5_7 *
Red Hat Enterprise Linux 6 RedHat tomcat6-0:6.0.24-33.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat ant-0:1.7.1-13.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat antlr-0:2.7.7-7.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat cglib-0:2.2-5.1.1.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat dom4j-0:1.6.1-11.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat ecj3-1:3.3.1.1-3.1.1.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat glassfish-jsf-0:1.2_13-3.1.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat hibernate3-1:3.3.2-1.4.GA_CP04.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat hibernate3-annotations-0:3.4.0-3.2.GA_CP04.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat hibernate3-commons-annotations-0:3.1.0-1.8.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat hibernate3-ejb-persistence-3.0-api-1:1.0.2-3.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat hibernate3-entitymanager-0:3.4.0-4.3.GA_CP04.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat httpd-0:2.2.17-11.1.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-commons-beanutils-0:1.8.0-4.1.2.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-commons-chain-0:1.2-2.2.1.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-commons-codec-0:1.3-9.2.1.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-commons-collections-0:3.2.1-4.1.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-commons-daemon-1:1.0.5-1.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-commons-daemon-jsvc-1:1.0.5-1.4.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-commons-dbcp-0:1.2.1-16.4.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-commons-digester-0:1.8.1-8.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-commons-fileupload-1:1.1.1-7.4.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-commons-httpclient-1:3.1-1.2.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-commons-io-0:1.4-1.3.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-commons-logging-0:1.1.1-0.4.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-commons-logging-jboss-0:1.1-10.2.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-commons-pool-0:1.3-11.2.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-commons-validator-0:1.3.1-7.5.2.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-oro-0:2.0.8-3.3.2.1.1.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jakarta-taglibs-standard-0:1.1.1-9.1.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat javassist-0:3.12.0-1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jboss-common-core-0:2.2.17-1.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jboss-common-logging-jdk-0:2.1.2-1.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jboss-common-logging-spi-0:2.1.2-1.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jboss-javaee-0:5.0.1-2.9.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jcommon-0:1.0.16-1.2.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat jfreechart-0:1.0.13-2.3.2.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat mod_cluster-0:1.0.10-2.1.GA_CP01.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat mod_cluster-native-0:1.0.10-2.1.GA_CP01.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat mod_jk-0:1.2.31-1.1.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat objectweb-asm-0:3.1-5.3.1.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat struts12-0:1.2.9-3.1.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat tomcat5-0:5.5.33-16_patch_04.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat tomcat6-0:6.0.32-15.1_patch_03.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat tomcat-jkstatus-ant-0:1.2.31-2.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat tomcat-native-0:1.1.20-2.1.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat xalan-j2-0:2.7.1-5.3_patch_04.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat xerces-j2-0:2.9.1-3.patch01.1.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 RedHat xml-commons-0:1.3.04-7.10.jdk6.ep5.el5 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat ant-0:1.7.1-14.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat antlr-0:2.7.7-7.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat cglib-0:2.2-5.4.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat dom4j-0:1.6.1-11.1.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat ecj3-1:3.3.1.1-4.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat glassfish-jsf-0:1.2_13-3.1.4.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat hibernate3-1:3.3.2-1.8.GA_CP04.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat hibernate3-annotations-0:3.4.0-3.5.GA_CP04.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat hibernate3-commons-annotations-0:3.1.0-1.8.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat hibernate3-ejb-persistence-3.0-api-1:1.0.2-3.3.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat hibernate3-entitymanager-0:3.4.0-4.4.GA_CP04.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat httpd-0:2.2.17-11.2.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-commons-beanutils-0:1.8.0-9.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-commons-chain-0:1.2-2.2.2.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-commons-codec-0:1.3-12.1.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-commons-collections-0:3.2.1-4.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-commons-daemon-1:1.0.5-1.1.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-commons-daemon-jsvc-1:1.0.5-1.4.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-commons-dbcp-0:1.2.1-16.2.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-commons-digester-0:1.8.1-8.1.1.1.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-commons-fileupload-1:1.1.1-7.5.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-commons-httpclient-1:3.1-1.2.2.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-commons-io-0:1.4-4.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-commons-logging-0:1.1.1-1.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-commons-logging-jboss-0:1.1-10.2.2.1.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-commons-pool-0:1.3-15.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-commons-validator-0:1.3.1-7.5.2.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-oro-0:2.0.8-7.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jakarta-taglibs-standard-0:1.1.1-12.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat javassist-0:3.12.0-3.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jboss-common-core-0:2.2.17-1.2.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jboss-common-logging-jdk-0:2.1.2-1.2.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jboss-common-logging-spi-0:2.1.2-1.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jboss-javaee-0:5.0.1-2.9.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jcommon-0:1.0.16-1.2.2.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat jfreechart-0:1.0.13-2.3.2.1.2.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat mod_cluster-0:1.0.10-2.2.GA_CP01.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat mod_cluster-native-0:1.0.10-2.1.1.GA_CP01.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat mod_jk-0:1.2.31-1.1.2.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat objectweb-asm31-0:3.1-12.1.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat struts12-0:1.2.9-3.1.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat tomcat5-0:5.5.33-15_patch_04.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat tomcat6-0:6.0.32-14_patch_03.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat tomcat-jkstatus-ant-0:1.2.31-2.1.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat tomcat-native-0:1.1.20-2.1.2.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat xalan-j2-0:2.7.1-5.3_patch_04.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat xerces-j2-0:2.9.1-8.patch01.1.ep5.el6 *
Red Hat JBoss Enterprise Web Server 1 for RHEL 6 RedHat xml-commons-0:1.3.04-7.14.ep5.el6 *
Red Hat JBoss Web Server 1.0 RedHat *
Tomcat5 Ubuntu dapper *
Tomcat5.5 Ubuntu hardy *
Tomcat5.5 Ubuntu upstream *
Tomcat6 Ubuntu karmic *
Tomcat6 Ubuntu lucid *
Tomcat6 Ubuntu maverick *
Tomcat6 Ubuntu upstream *

Extended Description

Cross-site scripting (XSS) vulnerabilities occur when:

There are three main kinds of XSS:

Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim’s machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim’s account on that web site. Finally, the script could exploit a vulnerability in the web browser itself possibly taking over the victim’s machine, sometimes referred to as “drive-by hacking.” In many cases, the attack can be launched without the victim even being aware of it. Even with careful users, attackers frequently use a variety of methods to encode the malicious portion of the attack, such as URL encoding or Unicode, so the request looks less suspicious.

Potential Mitigations

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

  • Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft’s Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

  • Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

  • For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

  • Parts of the same output document may require different encodings, which will vary depending on whether the output is in the:

  • etc. Note that HTML Entity Encoding is only appropriate for the HTML body.

  • Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed.

  • Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.

  • The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”

  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

  • When dynamically constructing web pages, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. All input should be validated and cleansed, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. It is common to see data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

  • Note that proper output encoding, escaping, and quoting is the most effective solution for preventing XSS, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent XSS, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, in a chat application, the heart emoticon ("<3") would likely pass the validation step, since it is commonly used. However, it cannot be directly inserted into the web page because it contains the “<” character, which would need to be escaped or otherwise handled. In this case, stripping the “<” might reduce the risk of XSS, but it would produce incorrect behavior because the emoticon would not be recorded. This might seem to be a minor inconvenience, but it would be more important in a mathematical forum that wants to represent inequalities.

  • Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.

  • Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

References