| Details | |
|---|---|
| Alert ID | 220006-4 |
| Alert Type | Tool |
| Status | alpha |
| Risk | Medium |
| CWE | 20 |
| WASC | |
| Technologies Targeted | All |
| Tags |
CWE-20 OWASP_2021_A04 OWASP_2025_A05 TOOL_PTK |
Summary
Detects client-side request destinations for beacon, EventSource, and Axios that can be influenced by attacker-controlled input.
Generated by OWASP PTK SAST Module
Solution
• Build beacon, EventSource, and API client destinations from fixed configuration, not user-controlled strings. • Apply strict allow-lists for scheme, host, and path before constructing network destinations. • Reject attacker-controlled cross-origin URLs even when requests are “read-only” or telemetry-oriented.Other Info
References
- https://owasp.org/www-project-web-security-testing-guide/latest/
- https://cwe.mitre.org/data/definitions/20.html