Details
Alert ID 90019-2
Alert Type Active
Status release
Risk High
CWE 94
WASC 20
Technologies Targeted Language / ASP
Language / PHP
Tags CWE-94
OWASP_2017_A01
OWASP_2021_A03
POLICY_API
POLICY_DEV_FULL
POLICY_QA_FULL
POLICY_QA_STD
POLICY_SEQUENCE
WSTG-V42-INPV-11
More Info Scan Rule Help

Summary

A code injection may be possible including custom code that will be evaluated by the scripting engine.

Solution

Do not trust client side input, even if there is client side validation in place. In general, type check all data on the server side and escape all data received from the client. Avoid the use of eval() functions combined with user input data.

Other Info

References

Code

org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRule.java