User Controllable HTML Element Attribute (Potential XSS)

Risk:
Informational

Type:
Passive

CWE:
CWE-20

Summary: This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.

Solution: Validate all input and sanitize output it before writing to any HTML attributes.

Other info: User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://example.com/i.php?name=fred appears to include user input in: a(n) [img] tag [alt] attribute The user input found was: name=fred The user-controlled value was: pscanrules.usercontrolledhtmlattributes.

References: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

Latest Security News

Latest CVE List

Common Alerts

InformationalRe-examine Cache-control Directives
LowDangerous JS Functions
MediumXSLT Injection
MediumDirectory Browsing
MediumExponential Entity Expansion (Billion Laughs Attack)
MediumCSP: script-src unsafe-eval
LowPermissions Policy Header Not Set
InformationalGET for POST
MediumX-ChromeLogger-Data (XCOLD) Header Information Leak
HighHeartbleed OpenSSL Vulnerability (Indicative)

Top CWE List

Free online web security scanner

Don't show website scan report rating on the leaderboard