CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BaseStable🏆 #1 in Top 25 (2024)

Description

View on MITRE
4,442Related CVEs
45.54Severity Score
Back to CWE Lookup

Extended Description

Extended Description

Technical Details

Structure
Simple
Vulnerability Mapping
ALLOWED

Applicable To

Languages
Languages
Platforms
Languages

🏆 CWE Top 25 Historical Ranking

2023:#2
Score: 45.54
4,278 CVEs
2024:#1↑1
Score: 45.54
4,442 CVEs
Trend:Worsening (moved down 1 ranks)

Frequently Asked Questions

What is CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')?+

CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description Extended Description

Is CWE-79 in the CWE Top 25 Most Dangerous Software Weaknesses?+

Yes. CWE-79 ranked #1 in the CWE Top 25 for 2024, associated with 4,442 CVEs that year. The CWE Top 25 highlights the most common and impactful software weaknesses based on real-world vulnerability data.

What are the security consequences of CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')?+

If exploited, CWE-79 (CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) it can compromise Bypass Protection Mechanism, Read Application Data and Execute Unauthorized Code or Commands, leading to outcomes such as Scope: Access Control, Confidentiality The most common attack performed with cross-site scripting involves the disclosure of private information stored in user cookies, such as session information. Typically, a malicious user will craft a client-side script, which -- when parsed by a web browser -- performs some activity on behalf of the victim to an attacker-controlled system (such as sending all site cookies to a given E-mail address). This could be especially dangerous to the site if the victim has administrator privileges to manage that site. This script will be loaded and run by each user visiting the web site. Since the site requesting to run the script has access to the cookies in question and the malicious script does also..

How do you prevent or mitigate CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')?+

Recommended mitigations for CWE-79 include: Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [ REF-1482 ]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket. Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Cascading Style Sheets and style property etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [ REF-724 ] for more details on the types of encoding and escaping that are needed. Strategy: Attack Surface Reduction Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. Effectiveness: Limited Note: This technique has limited effectiveness, but can be helpful when it is possible to store client state and sensitive information on the server side instead of in cookies, headers, hidden form fields, etc.

Which programming languages are affected by CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')?+

CWE-79 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-79 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More