Details
Alert ID 90017
Alert Type Active
Status release
Risk Medium
CWE 91
WASC 23
Technologies Targeted All
Tags CWE-91
OWASP_2017_A01
OWASP_2021_A03
POLICY_API
POLICY_DEV_CICD
POLICY_DEV_FULL
POLICY_DEV_STD
POLICY_QA_FULL
POLICY_QA_STD
POLICY_SEQUENCE
More Info Scan Rule Help

Summary

Injection using XSL transformations may be possible, and may allow an attacker to read system information, read and write files, or execute arbitrary code.

Solution

Sanitize and analyze every user input coming from any client-side.

Other Info

The response to sending an XSLT token included error messages that may indicate a vulnerability to XSLT injections.

References

Code

org/zaproxy/zap/extension/ascanrules/XsltInjectionScanRule.java