Summary
Tests top-level GET query parameters for browser-executed XSS by opening a real browser attack tab and requiring an execution marker after load or safe synthetic interaction.
Generated by OWASP PTK DAST Module
Solution
Treat URL query parameters as untrusted input and never pass them into dangerous DOM sinks such as innerHTML, outerHTML, insertAdjacentHTML, inline event handlers, JavaScript URLs, style blocks, or script-building logic. • Use textContent or equivalent safe DOM APIs for user-controlled strings. • Avoid building HTML, CSS, JavaScript, or URLs directly from window.location.search and related URL sources. • Apply contextual encoding or a well-configured sanitizer where rendering is unavoidable. • Use a restrictive Content Security Policy to reduce exploitability.
Other Info
References
Code
src/ptk/background/dast/modules/modules.json