Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User-controlled input is used directly in the host portion of a URL for server-side HTTP requests. This allows attackers to specify arbitrary destinations for outgoing requests, putting sensitive data at risk.
Impact#
If exploited, attackers could trick the server into connecting to malicious or internal systems, potentially exposing sensitive data (like cookies or credentials), leaking internal network information, or enabling further attacks such as accessing protected resources (SSRF).