zaproxy: False Positive report on DOM-based XSS
Describe the bug DOM based XSS vulnerabilities are raised which are not reproducible in a browser, despite having confidentiality “High”.
http://localhost:8181/#jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(5397) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(5397)//>\x3e
a duplicate of this is also reported without a forward slash between 8181 and /#
Running a scan the second time adds another false-positive to the list:
http://localhost:8181/?name=abc#<img src="random.gif" onerror=alert(5397)>
To Reproduce Steps to reproduce the behavior:
- download/clone https://github.com/meetinthemiddle-be/vulnerable-python-demo and run the container in Docker
- Open ZAP, Click “Automated scan” , paste in http://localhost:8181 and click Attack
Expected behavior Only the intended reflected XSS is reported
Screenshots
Software versions
- ZAP: 2.11.0
- Add-on: N/A
- OS: MacOS BigSur 11.6.1
- Java:
$ java --versionopenjdk 17 2021-09-14OpenJDK Runtime Environment (build 17+35-2724)OpenJDK 64-Bit Server VM (build 17+35-2724, mixed mode, sharing) - Browser: N/A
Errors from the zap.log file None, only INFO loglines
Additional context N/A
Would you like to help fix this issue? Absolutely; let me know if there’s something I can help test on my end
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 16 (9 by maintainers)
Okay, I’ll grab the test app you mentioned and see if I can sort out what’s up.
Also, as you advised another user with a similar problem on https://groups.google.com/g/zaproxy-users/c/tcnjPkVUNjM, I triggered the JuiceShop DOM XSS and my Firefox installaton is not blocking the XSS payload there, so I’m quite sure it’s not a browser issue.