Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code inserts values from the page URL directly into the DOM using document.write, which allows attackers to inject malicious scripts via crafted links. This exposes the application to DOM-based Cross-Site Scripting (XSS) attacks.
Impact#
If exploited, an attacker can execute arbitrary JavaScript in the user’s browser, potentially stealing sensitive information like cookies, hijacking user sessions, or defacing the website. This can lead to data breaches, loss of user trust, and compliance violations.