how to solve OWASP ZAP reported "alert(1);" XSS vulnerability

Asked 23/5, 2014 at 21:3 Answered 11/7, 2014 at 17:46

After running OWASP ZAP scanning tool against our application, we see a number of XSS vulnerabilities when the tool attacked with this string:

" onMouseOver="alert(1);

;alert(1)

So such strings will appear in the server response. Though it doesn't do anything in the browser. Maybe it's trying to insert additional attributes to Html tags, but how to solve the problem?

Daphinedaphna answered 23/5, 2014 at 21:3 Comment(1)

In order for someone to find the problem, you would need to show your script. Otherwise, they're just guessing. – Carlicarlick 23/5, 2014 at 21:9

If you can post the html surrounding the injected attack then that might be enough. If you select the alert in ZAP then the attack will be highlighted in the Response tab. Note that we have just released updated active scan rules which fix a false positive in the reflected XSS scan rule, so make sure you update the rules and then scan again.

Substitution answered 24/5, 2014 at 8:52 Comment(2)

it's already updated to newest version. One occurrence of it is when a user selects search criteria we will display it in the page, the HTML copied from ZAP is: <td style="HEIGHT: 31px" vAlign="bottom"><span id="lblSearchCreteria" class="clsSubTitle" style="display:inline-block;font-weight:bold;height:26px;width:100%;">Page Accessed: General; Date Range: 01/01/2011 to 02/01/2011; User last name contains: " onMouseOver="alert(1);; </span></td> That means: the user selected page "General" to search with the date range for users whose last name contains " onMouseOver="alert(1); – Daphinedaphna 27/5, 2014 at 14:12

Ah, I think I can see why that is. ZAP is not taking into account the inner 'span' tag. I've raised it as an issue: code.google.com/p/zaproxy/issues/detail?id=1222 if you star that then you will be updated when we address it. Many thanks, Simon – Substitution 30/5, 2014 at 12:20

read up what a cross site scripting vulnerability can do to your application. The short answer is to have input validation or output encoding so you do not treat malicious input as actual script.

The long answer can be found at: https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

The solution cheat sheet is here: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Hope this helps

Boater answered 11/7, 2014 at 17:46 Comment(0)

Recommended topics

Hot tags