| Details | |
|---|---|
| Alert ID | 220009-1 |
| Alert Type | Tool |
| Status | alpha |
| Risk | Medium |
| CWE | 451 |
| WASC | |
| Technologies Targeted | All |
| Tags |
CWE-451 OWASP_2021_A05 OWASP_2025_A02 TOOL_PTK |
Summary
Detects DOM code that rewrites link destinations (href attributes) with attacker-controlled data. Manipulated links can mislead users into visiting malicious targets even if navigation is not forced automatically.
Generated by OWASP PTK SAST Module
Solution
• Allow-list link destinations or map tokens to server-side known URLs; do not reflect arbitrary strings into href attributes. • Ensure displayed link text matches the trusted destination so users cannot be tricked into clicking a mismatched URL. • Sanitise or normalise protocol and hostname components (e.g., enforce https, same-origin).Other Info
References
- https://owasp.org/www-community/attacks/Content_Spoofing
- https://cwe.mitre.org/data/definitions/451.html