Details
Alert ID 90017
Alert Type Active
Status release
Risk Medium
CWE 91
WASC 23
Technologies Targeted All
Tags CWE-91
OWASP_2017_A01
OWASP_2021_A03
More Info Scan Rule Help

Summary

Injection using XSL transformations may be possible, and may allow an attacker to read system information, read and write files, or execute arbitrary code.

Solution

Sanitize and analyze every user input coming from any client-side.

Other Info

The response to sending an XSLT token included error messages that may indicate a vulnerability to XSLT injections.

References

Code

org/zaproxy/zap/extension/ascanrules/XsltInjectionScanRule.java