Secure by Design Alert: Eliminating Cross-Site Scripting Vulnerabilities

Malicious Cyber Actors Use Cross-Site Scripting Vulnerability to Compromise Systems

CISA and FBI are releasing this Secure by Design Alert as a part of our ongoing effort to reduce the prevalence of vulnerability classes at scale. Vulnerabilities like cross-site scripting (XSS) continue to appear in software, enabling threat actors to exploit them. However, cross-site scripting vulnerabilities are preventable and should not be present in software products.

Senior executives and business leaders should ask their teams how they are working to eliminate these defects and whether they are implementing a secure by design approach in their products.

Cross-site scripting vulnerabilities arise when manufacturers fail to properly validate, sanitize, or escape inputs. These failures allow threat actors to inject malicious scripts into web applications, exploiting them to manipulate, steal, or misuse data across different contexts. Although some developers employ input sanitization techniques to prevent XSS vulnerabilities, this approach is not infallible and should be reinforced with additional security measures.

Please click here to read more detail