ZAP – SPA hash DOM XSS

Details
Alert ID	200007
Alert Type	Tool
Status	alpha
Risk	High
CWE	79
WASC
Technologies Targeted	All
Tags	CWE-79 OWASP_2021_A03 OWASP_2025_A05 TOOL_PTK

Summary

Tests hash-based SPA parameters (http://host/#/route?param=…) for DOM XSS by mutating the hash in a dedicated attack tab and inspecting the DOM.

Generated by OWASP PTK DAST Module

Solution

Treat all hash-based parameters and client-side routing inputs as untrusted, and ensure they are never inserted into the DOM as HTML or script. • Use safe DOM APIs that set text content rather than HTML where user input is involved. • Avoid building HTML strings from concatenated parameters and instead use templating or component frameworks safely. • Combine these practices with a restrictive Content Security Policy to reduce exploitability.

Other Info

References

https://owasp.org/Top10/2025/A05_2025-Injection/
https://cwe.mitre.org/data/definitions/79.html

Code

src/ptk/background/dast/modules/modules.json