User Controllable URL

Impact: Medium


There are certain HTML attributes with a value type of URI, for example, href in the a tag or src in the img tag. Depending on the type of the element, the browser may display the contents of this URI, execute scripts on the URI or send user-supplied data to the URI in the attribute.

When an application directly uses the input from the user on these attributes, a malicious user can control the behavior of the browser. This can lead to an XSS or Phishing attack.


You might need to change the application logic to avoid using direct user input as URI in HTML attributes.


Last updated on February 15, 2023

This issue is available in SmartScanner Professional

See Pricing