I am working on an old web application where a lot of XSS vulnerabilities has been discovered. At some places the parameters being passed from user forms are not HTML encoded which makes such pages vulnerable to XSS but these values are not being stored in a database or anywhere else. For Example, there is a page where user enters some search parameters like date, name etc and based on these parameters some search results are fetched and displayed to user. So even if any user enters a script in the parameters, it will be executed only for this session.
So, Could anyone please share if you think this scenario is still a security concern and should be fixed ?
Thanks!
Aucun commentaire:
Enregistrer un commentaire