Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	High

Description

User input is being directly inserted into HTML responses without proper sanitization. This allows attackers to inject malicious scripts (XSS) if the input is not trusted.

Impact

If exploited, attackers can execute arbitrary JavaScript in users’ browsers, leading to data theft, session hijacking, or defacement of your application, potentially compromising user accounts and trust.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Manually replacing special HTML characters in user input (e.g., using replace or replaceAll) to sanitize data is error-prone and can miss edge cases, leaving your code vulnerable. It’s safer to use a well-maintained sanitization library designed for this purpose.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Assigning user-controlled data directly to an element’s innerHTML allows attackers to inject malicious scripts into your web page. This makes your application vulnerable to cross-site scripting (XSS) attacks.

Impact

If exploited, an attacker could execute arbitrary JavaScript in users’ browsers, potentially stealing session tokens, user data, or performing actions on behalf of users. This can lead to data breaches, account compromise, and loss of user trust.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The code inserts values from the page URL directly into the DOM using document.write, which allows attackers to inject malicious scripts via crafted links. This exposes the application to DOM-based Cross-Site Scripting (XSS) attacks.

Impact

If exploited, an attacker can execute arbitrary JavaScript in the user’s browser, potentially stealing sensitive information like cookies, hijacking user sessions, or defacing the website. This can lead to data breaches, loss of user trust, and compliance violations.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

User controlled data in a HTML string may result in XSS

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Assigning user-controlled data directly to DOM properties like innerHTML, outerHTML, or using document.write allows attackers to inject malicious scripts. This makes your application vulnerable to cross-site scripting (XSS) attacks.

Impact

If exploited, an attacker could execute arbitrary JavaScript in a user’s browser, potentially stealing sensitive data, hijacking user sessions, defacing the website, or spreading malware to other users. This can lead to loss of user trust and significant security breaches.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

User input from the browser’s location (such as URL parameters or fragments) is being directly inserted into HTML strings without proper sanitization. This can allow attackers to inject malicious scripts into the page.

Impact

If exploited, attackers could execute arbitrary JavaScript in users’ browsers (XSS), leading to stolen data, account compromise, or unauthorized actions on behalf of users. This threatens user safety and can damage trust in the application.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The code uses a variable with unknown or uncontrolled content inside a tag. If this variable can be influenced by users, it may allow attackers to inject malicious JavaScript into your web page.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

User input is being directly inserted into HTML responses without proper sanitization or encoding. This can allow attackers to inject malicious scripts into web pages returned by your AWS Lambda function.

Impact

If exploited, attackers could execute scripts in users’ browsers (cross-site scripting), steal session cookies or sensitive data, deface web pages, or perform actions on behalf of users, putting both user accounts and organizational data at risk.

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

User input is being directly inserted into HTML strings without proper sanitization or escaping. This approach can bypass secure HTML rendering methods and expose the application to cross-site scripting (XSS) attacks.

Impact

If exploited, an attacker could inject malicious scripts into your web pages, potentially stealing user data, hijacking sessions, or performing actions on behalf of users. This can lead to data breaches, compromised accounts, and damage to user trust.