Details
Alert Id 10043
Alert Type Passive Scan Rule
Status beta
Risk
CWE
WASC

Summary

This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.

Solution

Validate all input and sanitize output it before writing to any Javascript on* events.

References

Code

org/zaproxy/zap/extension/pscanrulesBeta/UserControlledJavascriptEventScanRule.java