Home / Vulnerability Database / JavaScript : XSS protection is disabled
JavaScript
JavaScript : XSS protection is disabled
Classification
OWASP Top 10 2013
OWASP Top 10 2017
OWASP Top 10 2021
CWE/SANS Top 25 2011
CWE/SANS Top 25 2021
Overview
The X-XSS-Protection header is explicitly disabled which may increase the risk of cross-site scripting attacks.
The X-XSS-Protection refers to a header that is automatically enabled in Internet Explorer 8 upwards and the latest versions of Chrome. When the header value is set to false (0) cross-site scripting protection is disabled.
The header can be set in multiple locations and should be checked for both misconfiguration as well as malicious tampering.
References
- OWASP Top 10-2017 A7-Cross-Site Scripting (XSS)
- OWASP: Cross-site Scripting (XSS)
- Cross-Site Scripting Filter
- CWE-79: Improper Neutralization of Input During Web Page Generation
- Types of Cross-Site Scripting - OWASP
- DOM Based XSS attacks: what is the most dangerous example?
- OWASP: XSS Prevention Cheat Sheet
- OWASP Top 10 2017-A6-Security Misconfiguration
- CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
- CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- CWE-81: Improper Neutralization of Script in an Error Message Web Page
- CWE-83: Improper Neutralization of Script in Attributes in a Web Page
MEDIUM
DerScanner Severity Score
Do you want to fix JavaScript : XSS protection is disabled in your application?
See also
JavaScript
JavaScript : Null salt
JavaScript
JavaScript : Empty encryption key
JavaScript