Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The application returns user input directly in HTTP responses without sanitizing it. This allows attackers to inject malicious scripts into the response, potentially leading to cross-site scripting (XSS) attacks.
Impact#
If exploited, attackers could execute arbitrary JavaScript in users’ browsers, steal sensitive data (like session cookies), impersonate users, or deface the application. This can compromise user accounts, damage trust, and potentially expose the organization to further attacks.