All geek questions in one place

Why / How is "value =" javascript: alert (1) "considered as an XSS vulnerability in the OWASP ZAP tool?

The results for OWASP ZAP were very helpful in removing the vulnerable parts of my website.

However, I found many results that I simply cannot fix. For example, one of the get parameters, which it places javascript:alert(1); into a variable. This variable is then output by PHP in the attribute of the hidden value element. So the last HTML looks like this:

 <input type="hidden" name="someName" id="someID" value="javascript:alert(1);"/>

This value is typically used to populate the JavaScript drop-down list. If it 1 shows additional search filters, if 0 does not show anything. Thus, it is only used in string comparisons, which fails.

I do not see that this could be used, the warning does not start, like other attacks that ZAP showed me. The result is encoded, so they cannot enter HTML, ending quotes or an element earlier with "/> , like previously detected attacks, since these characters become their equivalents of HTML objects.

Is this just a false positive ZAP result matching the input string in the page source, since javascript:alert(1); encoding javascript:alert(1); still equal exactly as javascript:alert(1); ?

+6
source share
3 answers

Yes, OWASP ZAP tries to find vulnerabilities on your website and it works automatically.

If you need to add ANY PIECE of code to your website, the website is considered vulnerable automatically.

If your site accepts only β€œ0” or β€œ1” as a value for hidden input and does not save or request a value anywhere (not even cookies), this is not a security vulnerability, but you are safe.

+1
source

Vulnerability means that ZAP was able to insert arbitrary code into this input field. This means that you most likely do not check user input somewhere in the application.

You should be more careful when creating this input field and make sure that the GET parameters used to create it are checked accordingly.

Remember, it's better to be safe than sorry (i.e. to compromise your application).

+1
source

Your HTML looks safe for me. However, consider a similar case:

 <a href="javascript:alert(1);">test</a>

This will create a link that will execute JavaScript. Perhaps ZAP is particularly careful, so such cases are obtained.

In this particular case, you must indicate which URL schemes are allowed in user links. For example, only allow http, https, mailto, etc.

0
source

Source: https://habr.com/ru/post/945274/

More articles:


All Articles