Details
Alert Id 10031
Alert Type Passive
Status release
Risk
CWE
WASC
Technologies Targeted All
Tags OWASP_2017_A01
OWASP_2021_A03

Summary

This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.

Solution

Validate all input and sanitize output it before writing to any HTML attributes.

References

Code

org/zaproxy/zap/extension/pscanrules/UserControlledHTMLAttributesScanRule.java