Injection: XSS via Query Parameter¶

Identifier: improper_input_xss_query_params

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

Improper input validation injection happens when an application blindly accepts and processes user-supplied data without adequately checking it first. This oversight allows an attacker to insert harmful code—like malicious scripts—into the application, potentially tricking it into running that code. The risk here is that if such vulnerabilities are exploited, sensitive data could be stolen, sessions hijacked, or the app's behavior manipulated. Developers often fall into pitfalls by not sanitizing inputs, assuming users won't provide harmful data, or misusing trusted functions, leaving the door open for attackers to misuse.

Review every point where your application accepts external data. Make sure you clearly define what constitutes valid input for each field and enforce those rules strictly. Check lengths, types, and formats consistently before processing the data. Also, segregate how you handle external data from the inner workings of your system to ensure that even if unexpected data slips through, it won't be executed in a risky context.

References:

https://portswigger.net/web-security/cross-site-scripting

Configuration¶

Example¶

Example configuration:

---
security_tests:
  improper_input_xss_query_params:
    assets_allowed:
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.