Rapid7 Vulnerability & Exploit Database

Cross Site Scripting Vulnerability

Back to Search

Cross Site Scripting Vulnerability



The Web application is vulnerable to cross-site scripting (XSS), which allows attackers to take advantage of Web server scripts to inject JavaScript or HTML code that is executed on the client-side browser. This vulnerability is often caused by server-side scripts written in languages such as PHP, ASP, .NET, Perl or Java, which do not adequately filter data sent along with page requests or by vulnerable HTTP servers. This malicious code appears to come from your Web application when it runs in the browser of an unsuspecting user.

An attacker can do the following damage with an expoloit script:

  • access other sites inside another client's private intranet
  • steal another client's cookie(s)
  • modify another client's cookie(s)
  • steal another client's submitted form data
  • modify another client's submitted form data before it reaches the server
  • submit a form to your Web application on the user's behalf that modifies passwords or other application data

The two most common methods of attack are:

  • Having a user click a URL link sent in an e-mail
  • Having a user click a URL link while visiting a Web site

In both scenarios, the URL will generally link to the trusted site, but will contain additional data that is used to trigger the XSS attack.

Note that SSL connectivity does not protect against this issue.


  • http-cgi-0010

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center