CWE-451 on ZAP /alerttags/cwe-451/ Recent content in CWE-451 on ZAP Hugo en-us DOM-based Link Manipulation (taint flow) /docs/alerts/220009-2/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/220009-2/ <p>Detects DOM code that rewrites link destinations (href attributes) with attacker-controlled data. Manipulated links can mislead users into visiting malicious targets even if navigation is not forced automatically.</p> <p>Generated by OWASP PTK SAST Module</p> IFrame content injection via srcdoc /docs/alerts/210012-2/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/210012-2/ <p>Tainted HTML assigned to iframe.srcdoc, enabling DOM-based XSS inside the frame.</p> <p>Generated by OWASP PTK IAST Module</p> IFrame navigation via src /docs/alerts/210012-1/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/210012-1/ <p>Tainted URL assigned to iframe.src, causing navigation to untrusted content.</p> <p>Generated by OWASP PTK IAST Module</p> Review assignments to href/src/action /docs/alerts/220009-1/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/220009-1/ <p>Detects DOM code that rewrites link destinations (href attributes) with attacker-controlled data. Manipulated links can mislead users into visiting malicious targets even if navigation is not forced automatically.</p> <p>Generated by OWASP PTK SAST Module</p> Untrusted DOM data into createHTMLDocument /docs/alerts/220010-2/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/220010-2/ <p>Detects untrusted DOM data being written into form metadata (formAction/target/method/value/placeholder), inline style surfaces (style/cssText/background*), document.title, history state, or createHTMLDocument — mutations that influence UI/navigation state without covering classic href/src/action sinks already handled elsewhere.</p> <p>Generated by OWASP PTK SAST Module</p> Untrusted DOM data into navigation-adjacent sinks /docs/alerts/220010-1/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/220010-1/ <p>Detects untrusted DOM data being written into form metadata (formAction/target/method/value/placeholder), inline style surfaces (style/cssText/background*), document.title, history state, or createHTMLDocument — mutations that influence UI/navigation state without covering classic href/src/action sinks already handled elsewhere.</p> <p>Generated by OWASP PTK SAST Module</p> Untrusted DOM data into UI mutation sinks /docs/alerts/220010-3/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/220010-3/ <p>Detects untrusted DOM data being written into form metadata (formAction/target/method/value/placeholder), inline style surfaces (style/cssText/background*), document.title, history state, or createHTMLDocument — mutations that influence UI/navigation state without covering classic href/src/action sinks already handled elsewhere.</p> <p>Generated by OWASP PTK SAST Module</p>