DerScanner
Home / Vulnerability Database / TypeScript : XSS protection is disabled
TypeScript

TypeScript : XSS protection is disabled

Classification

OWASP Top 10 2013
A6-Sensitive Data Exposure
OWASP Top 10 2017
A6-Security MisconfigurationA7-Cross-Site Scripting (XSS)
OWASP Top 10 2021
A5-Security MisconfigurationA3-Injection
OWASP ASVS
Validation, Sanitization and EncodingValidation, Sanitization and Encoding
PCI DSS 4.0
4.2.16.2.4
CWE
CWE-79CWE-80CWE-81CWE-83CWE-1032
CWE/SANS Top 25 2011
CWE-79
CWE/SANS Top 25 2021
CWE-79

Overview

The X-XSS-Protection header is explicitly disabled which may increase the risk of cross-site scripting attacks.

The X-XSS-Protection refers to a header that is automatically enabled in Internet Explorer 8 upwards and the latest versions of Chrome. When the header value is set to false (0) cross-site scripting protection is disabled. The header can be set in multiple locations and should be checked for both misconfiguration as well as malicious tampering.

References

  1. OWASP Top 10-2017 A7-Cross-Site Scripting (XSS)
  2. OWASP: Cross-site Scripting (XSS)
  3. Cross-Site Scripting Filter
  4. CWE-79: Improper Neutralization of Input During Web Page Generation
  5. Types of Cross-Site Scripting - OWASP
  6. DOM Based XSS attacks: what is the most dangerous example?
  7. OWASP: XSS Prevention Cheat Sheet
  8. OWASP Top 10 2017-A6-Security Misconfiguration
  9. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
  10. CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
  11. CWE-81: Improper Neutralization of Script in an Error Message Web Page
  12. CWE-83: Improper Neutralization of Script in Attributes in a Web Page
MEDIUM

DerScanner Severity Score

Do you want to fix TypeScript : XSS protection is disabled in your application?

See also

TypeScript

TypeScript : Unsafe Azure access control

TypeScript

TypeScript : Debug code

TypeScript

TypeScript : Null encryption key