User Controllable URL

Impact: Medium


User-controllable URLs refer to HTML attributes with a value type of URI, such as href in the a tag or src in the img tag. When an application directly incorporates user input into these attributes, it allows malicious users to manipulate the browser behavior. This can result in XSS or Phishing attacks, where attackers exploit the manipulated URLs to execute scripts or deceive users.


To mitigate risks associated with user-controllable URLs, avoid directly incorporating user input as URIs in HTML attributes. Implement server-side validation and sanitization of user-supplied URLs to ensure they adhere to expected patterns and do not pose security risks.


Last updated on May 13, 2024

This issue is available in SmartScanner Professional

See Pricing