ZAP – DOM XSS via document.write

Details
Alert ID	210000-5
Alert Type	Tool
Status	alpha
Risk	High
CWE	79
WASC
Technologies Targeted	All
Tags	CWE-79 OWASP_2021_A03 OWASP_2025_A05 TOOL_PTK

Summary

Tainted data passed to document.write. Generated by OWASP PTK IAST Module

Solution

• Avoid inserting untrusted strings into HTML or inline handlers. • Prefer textContent or safe templating; sanitize with DOMPurify when HTML is required. • Use CSP without unsafe-inline where possible.

Other Info

References

https://owasp.org/www-community/attacks/xss/
https://cwe.mitre.org/data/definitions/79.html

Code

src/ptk/background/iast/modules/modules.json