How to solve OWASP ZAP reported "alert (1)"; XSS Vulnerability

Question

How to solve OWASP ZAP reported "alert (1)"; XSS Vulnerability

After running the OWASP ZAP tool for scanning in our application, we find a number of XSS vulnerabilities when the tool is attacked by this line:

" onMouseOver="alert(1);

or

 ;alert(1)

So, such lines will appear in the server response. Although it does nothing in the browser. Maybe he is trying to insert additional attributes in the Html tags, but how to solve the problem?

-1

javascript xss owasp zap

Cal May 23 '14 at 21:03

source share

2 answers

read what cross-site scripting vulnerability can do for your application. The short answer is to enter input confirmation or output coding so that you don't see malicious input as an actual script.

A long answer can be found at: https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

The sheet for reading the solutions is here: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Hope this helps

0

Fuzz63 Jul 11 '14 at 17:46

source share

Simon bennetts · Accepted Answer · 2014-05-24T08:52:13+0000

If you can post the html surrounding the injected attack, that might be enough. If you select a warning in ZAP, the attack will be highlighted on the Response tab. Please note that we just released updated active scan rules that capture a false positive value in the reflected XSS scan rule, so make sure you update the rules and then look again.

How to solve OWASP ZAP reported "alert (1)"; XSS Vulnerability

More articles: