Alert group Cross site scripting (content-sniffing)
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious
should be trusted or not, it will execute the script in the user context allowing the attacker to access any
cookies or session tokens retained by the browser.
Recommendations Your script should filter metacharacters from user input.
This type of XSS can only be triggered on (and affects) content sniffing browsers.
URL encoded GET input search was set to the'"()&%<acx><ScRiPt >BL79(9786)</ScRiPt>
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
The <ScRiPt%20>BL79(9647)</ScRiPt> XSS payload referenced within the output of the automated security scan above is returned as part of a JSON response from the MediaWiki action API with a content-type of application/json. No modern web browsers should be rendering this content as HTML where such a naive XSS payload would be executed. Additionally, the output appears to be properly sanitized when the action API results are returned as HTML (format=html). Resolving as invalid.