ZAP – Client-side redirect via history.pushState

Tainted URL passed to history.pushState, altering client-side navigation.

Generated by OWASP PTK IAST Module

• Allow-list navigation targets and normalize paths before use. • Avoid assigning untrusted URLs to location APIs.