Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
Visualforce pages are missing the ‘cspHeader’ attribute set to true, which means they do not enforce modern browser security controls against malicious scripts. This makes the page more vulnerable to cross-site scripting (XSS) attacks.
Impact#
If exploited, attackers could inject and execute unauthorized JavaScript in users’ browsers, potentially leading to data theft, session hijacking, or unauthorized actions in the Salesforce environment. This can compromise user accounts, sensitive business data, and overall application security.