问题
After running OWASP ZAP scanning tool against our application, we see a number of XSS vulnerabilities when the tool attacked with this string:
" onMouseOver="alert(1);
or
;alert(1)
So such strings will appear in the server response. Though it doesn't do anything in the browser. Maybe it's trying to insert additional attributes to Html tags, but how to solve the problem?
回答1:
If you can post the html surrounding the injected attack then that might be enough. If you select the alert in ZAP then the attack will be highlighted in the Response tab. Note that we have just released updated active scan rules which fix a false positive in the reflected XSS scan rule, so make sure you update the rules and then scan again.
回答2:
read up what a cross site scripting vulnerability can do to your application. The short answer is to have input validation or output encoding so you do not treat malicious input as actual script.
The long answer can be found at: https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
The solution cheat sheet is here: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Hope this helps
来源:https://stackoverflow.com/questions/23838300/how-to-solve-owasp-zap-reported-alert1-xss-vulnerability