Details
Alert ID 210017-7
Alert Type Tool
Status alpha
Risk High
CWE 79
WASC
Technologies Targeted All
Tags CWE-79
OWASP_2021_A03
OWASP_2025_A05
TOOL_PTK

Summary

Persisted/reflected client-side values reached iframe.srcdoc.

Generated by OWASP PTK IAST Module

Solution

• Do not trust client-side persisted values (cookies/localStorage/sessionStorage/window.name/referrer). • Encode before HTML insertion and avoid inline handlers. • Apply strict sink-specific validation for route/referrer-driven rendering.

Other Info

References

Code

src/ptk/background/iast/modules/modules.json