Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Setting the ‘X-XSS-Protection’ HTTP header to ‘0’ disables the browser’s built-in XSS filter, making the application more vulnerable to Cross-Site Scripting (XSS) attacks. This weakens an important layer of browser-side defense against malicious scripts.
Impact#
If exploited, attackers could inject malicious scripts into web pages viewed by users, leading to data theft, session hijacking, or defacement. Disabling this protection increases the risk of XSS attacks succeeding, potentially compromising user data and trust.