This article is a part of our Web Security Knowledge Base (back to index)

Why User Controllable HTML Element Attribute (Potential XSS) can be dangerous

The alert looks for GET and POST requests that are capable of injecting attribute values into resulting HTML.

This may be a sign of XSS (Cross-Site Scripting) vulnerability that enables the attacker to inject malicious and dangerous code, e.g. Javascript snippets, into HTML code displayed by the user and executed as it was run by the user (e.g. with his full application access when logged in).

The attacker may prepare a valid HTTP request containing a malicious JavaScript code as one of the attributes that will be embedded in the resulting HTML page and executed by the user. Such requests can be passed to the user for execution e.g. as a GET request hidden under a clickable link included in a casual email, message or a forum post.

How to fix User Controllable HTML Element Attribute (Potential XSS)

Any occurrences of this alert should be manually reviewed by developers to confirm that the input attribute is included in the resulting HTML as expected, e.g. a search query parameter can be rendered in the result page, and it cannot be exploited e.g. with a JavaScript code.

Otherwise the application code should be modified to:

Allow HTML parts injection only where needed.

Sanitize input attribute values according to the specific use case and technology, find more information:

How does ScanRepeat report User Controllable HTML Element Attribute (Potential XSS)

This problem is reported with a complete example of a HTTP request with an attribute list that resulted in injecting an attribute value into the resulting HTML page code.

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free