User Controllable JavaScript Event (XSS)

Risk:
Informational

Type:
Passive

CWE:
CWE-20

Summary: This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.

Solution: Validate all input and sanitize output it before writing to any Javascript on* events.

Other info: User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL: http://example.com/i.php?place=moon&name=Foo includes the following Javascript event which may be attacker-controllable: User-input was found in the following data of an [onerror] event: foo The user input was: foo

References: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

Latest Security News

Top CVE List

Top Alert List

Content Security Policy (CSP) Header Not Set
CSP
MediumContent Security Policy (CSP) Header Not Set
MediumMissing Anti-clickjacking Header
MediumAbsence of Anti-CSRF Tokens
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
LowCross-Domain JavaScript Source File Inclusion
InformationalModern Web Application
LowServer Leaks Version Information via "Server" HTTP Response Header Field

Top CWE List

Free online web security scanner

Don't show website scan report rating on the leaderboard