| Details | |
|---|---|
| Alert ID | 220007-5 |
| Alert Type | Tool |
| Status | alpha |
| Risk | Medium |
| CWE | 829 |
| WASC | |
| Technologies Targeted | All |
| Tags |
CWE-829 OWASP_2021_A08 OWASP_2025_A05 TOOL_PTK |
Summary
Detects dynamic script, worker, and service-worker loader endpoints that can be influenced by attacker-controlled client-side data.
Generated by OWASP PTK SAST Module
Solution
• Load workers, service workers, and helper scripts from fixed, trusted URLs only. • Do not derive script loader destinations from URL parameters, storage, messages, or DOM input. • Apply strict allow-lists for scheme, host, and path before invoking worker or script loader APIs.Other Info
References
- https://owasp.org/www-project-web-security-testing-guide/latest/
- https://cwe.mitre.org/data/definitions/829.html