I am using OWASP ZAP to scan my web-application, developed using asp.net framework/C#.
I am being tasked by company to ensure NO error reported by OWASP ZAP.
The OWASP ZAP reported this log:
Issue: Cross Site Scripting (DOM Based)
URL:
http://[WEBSITE]/myapplication/script.aspx#jaVasCript:/*-/*`/*`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>x3csVg/<sVg/oNloAd=alert()//>x3e
I understand that the fragment (#hex) will not be sent to server for processing, it is more for browser to process.
So what do i suppose to do to ensure it never gets reported again in OWASP ZAP?
I've done following actions, but with no luck:
On the page, I embedded the javascript code, to remove the hashtag in the url. (Remove fragment in URL with JavaScript w/out causing page reload). It works, and I can see it being removed on the browser. But OWASP ZAP still reporting it as problem.
Similar to #1, i come out with javascript to detect whether #-fragment-url exists in URL. If exists, then redirect to "error" page. It is working, but ZAP again still report it as problem.
I guess since browser never send the # to the server for validation, i have no way to sanitize it. By the time ZAP/browser receives the response, ZAP will report it as issue.
So, what shall i do? I just want OWASP ZAP never report this issue anymore.
Any ideas?
question from:
https://stackoverflow.com/questions/65924298/how-to-solve-fix-dom-xss-issue-reported-by-owasp-zap 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
