Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False Positive report on DOM-based XSS

See original GitHub issue

Describe the bug DOM based XSS vulnerabilities are raised which are not reproducible in a browser, despite having confidentiality “High”.

http://localhost:8181/#jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(5397) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(5397)//>\x3e

a duplicate of this is also reported without a forward slash between 8181 and /#

Running a scan the second time adds another false-positive to the list: http://localhost:8181/?name=abc#<img src="random.gif" onerror=alert(5397)>

To Reproduce Steps to reproduce the behavior:

  1. download/clone https://github.com/meetinthemiddle-be/vulnerable-python-demo and run the container in Docker
  2. Open ZAP, Click “Automated scan” , paste in http://localhost:8181 and click Attack

Expected behavior Only the intended reflected XSS is reported

Screenshots

Screenshot 2021-11-16 at 17 24 12

Software versions

  • ZAP: 2.11.0
  • Add-on: N/A
  • OS: MacOS BigSur 11.6.1
  • Java: $ java --version openjdk 17 2021-09-14 OpenJDK Runtime Environment (build 17+35-2724) OpenJDK 64-Bit Server VM (build 17+35-2724, mixed mode, sharing)
  • Browser: N/A

Errors from the zap.log file None, only INFO loglines

Additional context N/A

Would you like to help fix this issue? Absolutely; let me know if there’s something I can help test on my end

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:16 (9 by maintainers)

github_iconTop GitHub Comments

1reaction
kingthorincommented, Nov 16, 2021

Okay, I’ll grab the test app you mentioned and see if I can sort out what’s up.

1reaction
meetinthemiddle-becommented, Nov 16, 2021

Also, as you advised another user with a similar problem on https://groups.google.com/g/zaproxy-users/c/tcnjPkVUNjM, I triggered the JuiceShop DOM XSS and my Firefox installaton is not blocking the XSS payload there, so I’m quite sure it’s not a browser issue.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Potential False Positive DOM Based XSS
Hi, Burp reported just this below line as Dom Based XSS vulnerability as Severity: High, Confidence: Tentative.
Read more >
Is It A False Postive For Dom Xss - ADocLib
This whitepaper examines the impact of false positives across the software development For small and medium business looking for a reliable and precise ......
Read more >
Finding and Fixing DOM-based XSS with Static Analysis
False positives are incorrect detection of code, in which the content of the variable is known to be safe through other means. Here,...
Read more >
What is DOM-based XSS (cross-site scripting)? - Invicti
This web security article explains DOM-based cross-site scripting using real-life coding examples. You will also learn why traditional XSS ...
Read more >
PCI scan reports Apache XSS vulnerability - is it a false positive?
1. <div class="info-heading"> {IP ADDRESS}/"><script>alert(document.domain)</script>.html (port 80) </div>.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

ARM/M1 support for docker image

Next page

Load scripts via "zap-baseline.py" script for CI/CD