Injection: XSS via Query Parameter¶

Identifier: improper_input_xss_query_params

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

Cross-Site Scripting vulnerabilities via query parameters occur when applications process user-supplied query parameters without adequate validation, allowing attackers to inject malicious scripts that execute in users' browsers.

How we test: We inject XSS payloads into query parameters and analyze responses to detect if malicious scripts are reflected back without proper sanitization. We test for reflected XSS vulnerabilities by checking if injected payloads appear in responses and can be executed in the browser.

References:

https://portswigger.net/web-security/cross-site-scripting

Configuration¶

Example¶

Example configuration:

---
security_tests:
  improper_input_xss_query_params:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.