Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-85 (双字符XSS操纵) — Vulnerability Class 2

2 vulnerabilities classified as CWE-85 (双字符XSS操纵). AI Chinese analysis included.

CWE-85 represents a critical input validation weakness where web applications fail to adequately sanitize user-controlled data by ignoring doubled characters used to obfuscate malicious scripts. Attackers typically exploit this vulnerability by encoding special characters, such as replacing a single quote with two identical quotes, to bypass naive filtering mechanisms that only check for single instances of dangerous syntax. This manipulation allows the injected script to execute within the victim’s browser, leading to cross-site scripting attacks that can compromise user sessions or steal sensitive information. To prevent this, developers must implement robust, context-aware input validation and output encoding strategies that normalize and escape all special characters regardless of their repetition. Utilizing established security libraries and adhering to the principle of least privilege ensures that even obfuscated payloads are correctly interpreted as data rather than executable code, effectively neutralizing this evasion technique.

MITRE CWE Description
The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityRead Application Data, Execute Unauthorized Code or Commands
Mitigations (5)
ImplementationResolve all filtered input to absolute or canonical representations before processing.
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS v…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
CVE IDTitleCVSSSeverityPublished
CVE-2024-13721 Plethora Plugins Tabs + Accordions <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via anchor — Plethora Plugins Tabs + Accordions 6.4 Medium2025-01-25
CVE-2022-41676 TEAM JOHNLONG SOFTWARE CO., LTD. MAILD Mail Server - Cross-Site Scripting — MAILD Mail Server 5.4 Medium2022-11-29

Vulnerabilities classified as CWE-85 (双字符XSS操纵) represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.