Details
Alert ID 200024
Alert Type Tool
Status alpha
Risk Medium
CWE 79
WASC
Technologies Targeted All
Tags CWE-79
OWASP_2021_A03
OWASP_2025_A03
TOOL_PTK

Summary

Tests callback-like parameters for JSONP-style JavaScript responses where user input controls the executed callback name.

Generated by OWASP PTK DAST Module

Solution

Avoid JSONP for new APIs. Return JSON with CORS controls instead. • If JSONP must be supported, validate callbacks against a strict identifier allowlist. • Return an error for callback names that are not known safe JavaScript identifiers. • Prefer same-origin JSON APIs and explicit CORS policy over executable script responses.

Other Info

References

Code

src/ptk/background/dast/modules/modules.json