Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User input from the HTTP request is being directly included in an HttpResponse without proper escaping or sanitization. This allows attackers to inject malicious scripts into the response, making the application vulnerable to cross-site scripting (XSS).
Impact#
If exploited, attackers could execute JavaScript in users’ browsers, steal sensitive information like cookies or session tokens, impersonate users, or perform actions on their behalf. This can compromise user accounts, expose confidential data, and damage the application’s reputation.