DOM XSS alert has no evidence returned

76 views
Skip to first unread message

David S.

unread,
Jul 22, 2021, 8:23:10 PM7/22/21
to OWASP ZAP User Group

Hi.  ZAP reports DOM XSS attack issues but no response is returned so how does ZAP determine there exists an issue?

The attack is by appending #blablabla to the .asp/.html

https://1.2.3.4/x.htm#blabla or https://1.2.3.4/x.asp#blabla

where blabla from ZAP are...

#jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

or 

#javascript:alert(1)

I also recall seeing others like x.asp?a=1&b=1#blabla

Thanks/david

Simon Bennetts

unread,
Jul 23, 2021, 3:21:44 AM7/23/21
to OWASP ZAP User Group
Hiya,

Thats described in the help for the DOM XSS add-on: https://www.zaproxy.org/docs/desktop/addons/dom-xss-active-scan-rule/

Cheers,

Simon

David S.

unread,
Jul 23, 2021, 10:08:33 AM7/23/21
to OWASP ZAP User Group

Use Reply all instead :)

If not mistaken, Zap detects potential issues by detecting the browser alert popups when it appends #alert()  or #alert(1).

Will it cause a false positive when the page has its own alert("blabla")?

The blank response page of the DOM XSS alert report still confuses me :) when other trigger alerts have content in the response.


David S.

unread,
Jul 24, 2021, 9:02:26 PM7/24/21
to OWASP ZAP User Group
Zap does not seem to report those DOM XSS after I change my own alert to console.log. 
Please advise.

kingthorin+owaspzap

unread,
Jul 24, 2021, 11:58:07 PM7/24/21
to OWASP ZAP User Group
https://github.com/zaproxy/zaproxy/issues/6484

Seems the same

Reply all
Reply to author
Forward
0 new messages