21Şub
Validating XSS script with success response with expected data in REST API
I am performing security testing on a REST API and it is a POST method. I injected an XSS script in a body parameter and the API responded with '200 success' response with the actual expected data.
If the response is '200 OK' and response body displays with the actual response as result, then I would have concluded this as a vulnerability, because the XSS script would have been stored and reacted when the respective page is opened in a web browser (if the web application is also weak in security). So can we consider this as a vulnerability?
