Why/How is `value="javascript:alert(1)"` considered as a XSS vulnerability in OWASP's ZAP tool?

Question

The results for OWASP's ZAP has been very useful for eliminating vulnerable parts of my website.

However, I've found a lot of results that I simply cannot fix. For example, one of the get parameters it has put javascript:alert(1); in to the variable. This variable is then output by PHP in a hidden element's value attribute. So the final HTML looks like:

<input type="hidden" name="someName" id="someID" value="javascript:alert(1);"/>

This value is normally used to populate a drop down with JavaScript. If it's 1 it shows optional search filters, if 0 it shows nothing. So it's only used in a string comparison that fails.

I see no way for this to be exploited, the alert does not run like other attacks ZAP has shown me. The output is encoded so they cannot inject HTML by ending the quotes or element early with "/> like previously found attacks, as these characters become their HTML entities counterpart.

Is this just a false positive from ZAP matching the input string in the page source, as encoding javascript:alert(1); still equals exactly the same as javascript:alert(1);?

Answer 1

The vulnerability means that ZAP managed to insert arbitrary code into that input field. This means that you're most likely not validating user input somewhere in the app.

You should be more careful about generating that input field, and ensure that the GET parameter(s) used to generate it are validate accordingly.

Remember, it's better to be safe, than sorry (i.e. have your app compromised).