CWE-79: Cross-Site Scripting (XSS)

Overview

This guidance helps interpret DAST findings for CWE-79: Cross-Site Scripting (XSS). During dynamic scanning, the scanner detected that user-controlled input was reflected or stored in HTML responses without proper encoding, allowing injection of malicious JavaScript.

What the DAST scanner detected:

• Script payloads reflected unencoded in HTTP responses (<script>alert(1)</script>, <img src=x onerror=alert(1)>)
• JavaScript execution confirmed via callbacks to scanner-controlled servers or DOM-based detection
• Context-specific injection in HTML elements, attributes (<input value="[payload]"), JavaScript blocks, or URLs
• Browser-based verification: Headless browsers (like ZAP's Ajax Spider) executing injected scripts
• Polyglot payloads that work across multiple contexts:
  Example Polyglot

  jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>
  

Key DAST evidence:

• Input: ?search=<script>alert(1)</script> appears unencoded in response HTML
• Callback to http://scanner.burpcollaborator.net from injected <script>fetch('http://scanner.burpcollaborator.net')</script>
• Event handler execution: ?name="onmouseover=alert(1) rendered as <input value="" onmouseover=alert(1)>
• DOM-based: JavaScript reads location.hash and writes to innerHTML without sanitization

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

When reviewing your security scan results, you'll see:

HTTP Request Details

• URL and endpoint that triggered the finding
• HTTP method (GET, POST, etc.)
• Query parameters or form data with test payloads
• Request headers and body content

HTTP Response Evidence

• Response showing the vulnerability manifestation
• Evidence of improper handling or injection
• Runtime behavior indicators

Attack Vector

• Which parameter or input is vulnerable
• Type of exploitation possible
• Context where the vulnerability appears

Mapping DAST Findings to Source Code

Find the Vulnerable Endpoint

Use the HTTP request URL to locate the code:

# Search for the URL path in your codebase
grep -r "/search" src/
grep -r "route.*search" src/

Locate the Route Handler

Common patterns to search for:

• Python Flask/Django: @app.route('/search'), path('search/', ...)
• Node.js Express: app.get('/search', ...), router.get('/search', ...)
• Java Spring: @GetMapping("/search"), @RequestMapping("/search")
• ASP.NET: [Route("search")], MapRoute("search", ...)
• PHP: $_GET['q'], route definitions in routing files

Find the Parameter Handling

Search for the vulnerable parameter name:

# Find where the parameter is accessed
grep -r "request.args.get('q')" src/     # Python Flask
grep -r "req.query.q" src/               # Node.js
grep -r "@RequestParam.*q" src/          # Java Spring
grep -r "Request.QueryString['q']" src/  # ASP.NET
grep -r "$_GET['q']" src/                # PHP

Trace to Vulnerable Operation

Look for where the parameter is used in:

• Template rendering functions
• String concatenation in HTML responses
• JSON responses with user data
• Direct writes to response body

Remediation

Core principle: Never render untrusted input directly into executable browser contexts; ensure all untrusted data is output-encoded for its specific context so it remains data, not script.

→ For comprehensive remediation guidance, see Static CWE-79 Guidance

Language-Specific Guidance

The static guidance provides detailed remediation steps for many languages. If you need language-specific examples:

• C#
• Java
• JavaScript/Node.js
• PHP
• Python

Verification and Follow-Up Testing

After applying the fix:

Reproduce the Vulnerability

# Use curl to replay the exact request
curl "http://localhost:3000/search?q=<script>alert(1)</script>"

# Or use browser DevTools Network tab to copy as cURL

Verify the Fix

• Check that output is contextually encoded (HTML, attribute, JavaScript, URL)
• Confirm script does NOT execute in browser
• Test multiple contexts (HTML body, attributes, JavaScript)

Test Edge Cases

# Different encoding contexts
/search?q=<img src=x onerror=alert(1)>
/search?q=javascript:alert(1)
/search?q='><script>alert(1)</script>

# Unicode and encoding tricks
/search?q=%3Cscript%3Ealert(1)%3C/script%3E

Re-run DAST Scanner

Run your dynamic scanner again on the fixed endpoint to confirm remediation.

Additional Resources

• CWE-79: Cross-Site Scripting (XSS)
• OWASP Testing Guide - Testing for XSS
• OWASP Top 10 2025 A05: Injection
• OWASP XSS Prevention Cheat Sheet
• OWASP ZAP Alert: Cross Site Scripting (Persistent) (ID: 40014)
• OWASP ZAP Alert: Cross Site Scripting (Reflected) (ID: 40012)
• PortSwigger: Cross-site Scripting (XSS)
• PortSwigger XSS Tutorial