I am working via an OWASP Zap report that has flagged a number of URLs on the area as being susceptible to XSS, however the vulnerability isn’t output in a context that’s executable by the browser. For example, the report is exhibiting
as a susceptible URL.
The appliance does replicate this explicit content material within the response to the person:
var search = "John;alert(1)";
which I believe is what triggers the Alert as an XSS assault within the utility.
The XSS right here is that an attacker may introduce no matter arbitrary code they wished to on this context and have it mirrored to the person’s browser, however this code isn’t executed.
Testing the vulnerability manually, the applying is changing characters within the tried assault earlier than outputting within the response (utilizing PHP’s htmlentities perform), so one thing like
will get returned as:
var search = "John";alert(1);";
So the query is, does this nonetheless qualify as an lively XSS vulnerability?
Observe: I’ve famous that there’s nonetheless alternative for correct validation of the enter parameters, however my concern is the safety implications right here.