Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Assigning user-controlled data directly to DOM properties like innerHTML, outerHTML, or using document.write allows attackers to inject malicious scripts. This makes your application vulnerable to cross-site scripting (XSS) attacks.
Impact#
If exploited, an attacker could execute arbitrary JavaScript in a user’s browser, potentially stealing sensitive data, hijacking user sessions, defacing the website, or spreading malware to other users. This can lead to loss of user trust and significant security breaches.