ZAP – User Controllable JavaScript Event (XSS)

Details
Alert ID	10043
Alert Type	Passive
Status	release
Risk	Informational
CWE	20
WASC	20
Technologies Targeted	All
Tags	CWE-20 OWASP_2017_A01 OWASP_2021_A03 POLICY_PENTEST
More Info	Scan Rule Help

Summary

This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.

Solution

Validate all input and sanitize output it before writing to any Javascript on* events.

Other Info

User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL: http://example.com/i.php?place=moon&name=Foo includes the following Javascript event which may be attacker-controllable: User-input was found in the following data of an [onerror] event: foo The user input was: foo

References

https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

Code

org/zaproxy/zap/extension/pscanrules/UserControlledJavascriptEventScanRule.java