ZAP – javascript: URL assigned to href

Details
Alert ID	210003-1
Alert Type	Tool
Status	alpha
Risk	High
CWE	79
WASC
Technologies Targeted	All
Tags	CWE-79 OWASP_2021_A03 OWASP_2025_A05 TOOL_PTK

Summary

Tainted javascript: URL assigned to href and likely to execute in the current browsing context. Generated by OWASP PTK IAST Module

Solution

• Reject javascript: and attacker-controlled data: URLs from untrusted input. • Normalize and allow-list destinations before assigning href/src/location values. • Prefer route identifiers over raw URLs for navigation.

Other Info

References

https://owasp.org/www-community/attacks/xss/
https://cwe.mitre.org/data/definitions/79.html

Code

src/ptk/background/iast/modules/modules.json