Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
Directly displaying user input from $_GET, $_POST, or $_REQUEST using echo without proper sanitization allows attackers to inject malicious scripts into your web pages. This exposes your application to cross-site scripting (XSS) attacks.
Impact#
If exploited, attackers can execute arbitrary JavaScript in users’ browsers, leading to session hijacking, data theft, defacement, or malware distribution. This compromises user trust and could result in significant data breaches or reputational damage.