User Controllable JavaScript Event (XSS)

Risk:
Informational

Type:
Passive

CWE:
CWE-20

Summary: This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.

Solution: Validate all input and sanitize output it before writing to any Javascript on* events.

Other info: User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL: http://example.com/i.php?place=moon&name=Foo includes the following Javascript event which may be attacker-controllable: User-input was found in the following data of an [onerror] event: foo The user input was: foo

References: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

Latest Security News

Latest CVE List

Common Security Alerts

InformationalModern Web Application
MediumCSP: style-src unsafe-hashes
InformationalSec-Fetch-Dest Header Has an Invalid Value
MediumBackup File Disclosure
MediumX-Frame-Options Setting Malformed
MediumBuffer Overflow
InformationalSplit Viewstate in Use
InformationalContent Security Policy (CSP) Report-Only Header Found
MediumDirectory Browsing
HighASP.NET ViewState Integrity

Top CWE List

Free online web security scanner

Don't show website scan report rating on the leaderboard