SYM_RB_0077 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User-controlled input is used directly in the host portion of a URL for server-side HTTP requests. This allows attackers to specify arbitrary destinations for outgoing requests, putting sensitive data at risk.
Impact
If exploited, attackers could trick the server into connecting to malicious or internal systems, potentially exposing sensitive data (like cookies or credentials), leaking internal network information, or enabling further attacks such as accessing protected resources (SSRF).