ZAP – Response field rendered via innerHTML

Details
Alert ID	210007-1
Alert Type	Tool
Status	alpha
Risk	High
CWE	79
WASC
Technologies Targeted	All
Tags	CWE-79 OWASP_2021_A03 OWASP_2025_A05 TOOL_PTK

Summary

Response-derived data reached innerHTML. Generated by OWASP PTK IAST Module

Solution

• Treat response fields as untrusted when rendering rich HTML or unsafe templates. • Prefer text rendering or strict allow-listing for any response-driven markup.

Other Info

References

https://owasp.org/www-community/attacks/xss/
https://cwe.mitre.org/data/definitions/79.html

Code

src/ptk/background/iast/modules/modules.json