You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When scanning for XSS bugs, ZAP replaces the value in the parameter with the test string,
which in some cases breaks the logic of the webapp. You'll get a lot more results by
simply re-submitting it with the XSS tag appended to the parameter value (in my experience
at least).
Example:
Original:
site.com/index.php?q=lolcats&page=1
ZAP:
site.com/index.php?q=<script>alert("ZAP")</script>&page=1
Desired behavior:
site.com/index.php?q=lolcats<script>alert("ZAP")</script>
I've encountered a couple of web-apps where this has been a problem, and is causing
false negatives, because if I append an attack string onto it, it does indeed have
a XSS bug.
Original issue reported on code.google.com by fitblip on 2010-12-17 23:09:23
The text was updated successfully, but these errors were encountered:
Original issue reported on code.google.com by
fitblip
on 2010-12-17 23:09:23The text was updated successfully, but these errors were encountered: