User Controllable URL

Description

User-controllable URLs refer to HTML attributes with a value type of URI, such as href in the a tag or src in the img tag. When an application directly incorporates user input into these attributes, it allows malicious users to manipulate the browser behavior. This can result in XSS or Phishing attacks, where attackers exploit the manipulated URLs to execute scripts or deceive users.

Recommendation

To mitigate risks associated with user-controllable URLs, avoid directly incorporating user input as URIs in HTML attributes. Implement server-side validation and sanitization of user-supplied URLs to ensure they adhere to expected patterns and do not pose security risks.

References

• CWE-20
• OWASP: Cross Site Scripting (XSS)
• Wikipedia: Phishing