ZAP – eval() from storage/referrer taint

Details
Alert ID	210018-1
Alert Type	Tool
Status	alpha
Risk	High
CWE	94
WASC
Technologies Targeted	All
Tags	CWE-94 OWASP_2021_A03 OWASP_2025_A05 TOOL_PTK

Summary

Storage/referrer taint reached eval().

Generated by OWASP PTK IAST Module

Solution

• Do not execute values loaded from client storage or window.name. • Normalize and strictly validate route/referrer-based script parameters. • Avoid dynamic code execution APIs.

Other Info

References

https://owasp.org/www-community/attacks/xss/
https://cwe.mitre.org/data/definitions/94.html

Code

src/ptk/background/iast/modules/modules.json